U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Google Professional Security Operations Engineer Exam - Topic 2 Question 14 Discussion

You are implementing Google Security Operations (SecOps) for your organization. Your organization has their own threat intelligence feed that has been ingested to Google SecOps by using a native integration with a Malware Information Sharing Platform (MISP). You are working on the following detection rule to leverage the command and control (C2) indicators that were ingested into the entity graph.What code should you add in the detection rule to filter for the domain IOCS?
B) $ioc.graph.metadata.entity_type = 'DOMAlN_NAME' Sioc.graph.metadata.source_type = 'GLOBAL_CONTEXT'
A) $ioc.graph.metadata.entity_type = MDOMAlN_NAME' $ioc.graph.metadata.scurce_type = 'ElfelTYj^ONTEXT'
C) $ioc.graph.metadata.entity_type = 'D0MAIN_NAME' $ioc.graph.metadata.source_type = MDERIVED_CONTEXT'
D) $ioc.graph.metadata.entity_type = ,'D0MAIN_NAME*' $ioc.graph.metadata.source type = 'source type unspecified'

Google Professional Security Operations Engineer Exam - Topic 2 Question 14 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam
Question #: 14
Topic #: 2
[All Professional Security Operations Engineer Questions]

You are implementing Google Security Operations (SecOps) for your organization. Your organization has their own threat intelligence feed that has been ingested to Google SecOps by using a native integration with a Malware Information Sharing Platform (MISP). You are working on the following detection rule to leverage the command and control (C2) indicators that were ingested into the entity graph.

What code should you add in the detection rule to filter for the domain IOCS?

Show Suggested Answer Hide Answer
Suggested Answer: B

This YARA-L rule is designed to correlate a real-time event (a DNS query, $dns) with known-bad indicators stored in the Google SecOps entity graph ($ioc). The code must correctly filter the entity graph to find the specific indicators from the custom MISP feed.

Two filters are required:

$ioc.graph.metadata.entity_type = 'DOMAIN_NAME': This line is essential to filter the entity graph for IoCs that are domains. The rule is trying to match a DNS query ($dns_query) to a known C2 domain, so the entity type must be DOMAIN_NAME.

$ioc.graph.metadata.source_type = 'ENTITY_CONTEXT': This is the key differentiator. The Google SecOps entity graph has multiple context sources. GLOBAL_CONTEXT (Option B) is for threat intelligence provided by Google (e.g., Google Threat Intelligence, Mandiant). DERIVED_CONTEXT (Option C) is for context inferred from UDM events. The prompt explicitly states the IoC feed is the organization's own 'threat intelligence feed... ingested... with... MISP.' This type of customer-provided, third-party intelligence is classified as ENTITY_CONTEXT. Adding this line ensures the rule only uses the custom MISP feed for its IoC data, as intended.

The other lines in the $ioc block, such as product_name = 'MISP', further refine this ENTITY_CONTEXT search.

(Reference: Google Cloud documentation, 'YARA-L 2.0 language syntax'; 'Context-aware detections with entity graph'; 'Populate the entity graph')


Contribute your Thoughts:

0/2000 characters
Leandro
1 month ago
I remember we discussed the importance of correctly identifying the entity type in our practice sessions. I think "DOMAIN_NAME" is the right format, but I'm not sure about the source type.
upvoted 0 times
...

Save Cancel