Google Professional Security Operations Engineer Exam - Topic 2 Question 7 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam

Question #: 7
Topic #: 2

[All Professional Security Operations Engineer Questions]

You are conducting proactive threat hunting in your company's Google Cloud environment. You suspect that an attacker compromised a developer's credentials and is attempting to move laterally from a development Google Kubernetes Engine (GKE) cluster to critical production systems. You need to identify IoCs and prioritize investigative actions by using Google Cloud's security tools before analyzing raw logs in detail. What should you do next?

AIn the Security Command Center (SCC) console, apply filters for the cluster and analyze the resulting aggregated findings' timeline and details for IoCs. Examine the attack path simulations associated with attack exposure scores to prioritize subsequent actions.

BReview threat intelligence feeds within Google Security Operations (SecOps), and enrich any anomalies with context on known IoCs, attacker tactics, techniques, and procedures (TTPs), and campaigns.

CInvestigate Virtual Machine (VM) Threat Detection findings in Security Command Center (SCC). Filter for VM Threat Detection findings to target the Compute Engine instances that serve as the nodes for the cluster, and look for malware or rootkits on the nodes.

DCreate a Google SecOps SOAR playbook that automatically isolates any GKE resources exhibiting unusual network connections to production environments and triggers an alert to the incident response team.

Show Suggested Answer

Suggested Answer: A

Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:

The key requirements are to 'proactively hunt,' 'prioritize investigative actions,' and identify 'lateral movement' paths before deep log analysis. This is the primary use case for Security Command Center (SCC) Enterprise. SCC aggregates all findings from Google Cloud services and correlates them with assets. By filtering on the GKE cluster, the analyst can see all associated findings (e.g., from Event Threat Detection) which may contain initial IoCs.

More importantly, SCC's attack path simulation feature is specifically designed to 'prioritize investigative actions' by modeling how an attacker could move laterally. It visualizes the chain of exploits---such as a misconfigured GKE service account with excessive permissions, combined with a public-facing service---that an attacker could use to pivot from the development cluster to high-value production systems. Each path is given an attack exposure score, allowing the hunter to immediately focus on the most critical risks.

Option C is too narrow, as it only checks for malware on nodes, not the lateral movement path. Option B is a later step used to enrich IoCs after they are found. Option D is an automated response (SOAR), not a proactive hunting and prioritization step.

(Reference: Google Cloud documentation, 'Security Command Center overview'; 'Attack path simulation and attack exposure scores')

by Lynna at Nov 25, 2025, 08:10 AM

Limited Time Offer

25%

3 months ago

I think I'd start by applying filters in the Security Command Center console to analyze the aggregated findings and timeline for the cluster. The attack path simulations could help prioritize my next steps.

upvoted 0 times

Kenneth

2 months ago

I agree, filtering in the SCC console sounds like a solid first step.

upvoted 0 times

...

Sharita

3 months ago

Definitely! The aggregated findings will give us a clear view.

upvoted 0 times

...