Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Security Operations Engineer Exam - Topic 4 Question 5 Discussion

Actual exam question for Google's Professional Security Operations Engineer exam
Question #: 5
Topic #: 4
[All Professional Security Operations Engineer Questions]

You are implementing Google Security Operations (SecOps) for your organization. Your organization has their own threat intelligence feed that has been ingested to Google SecOps by using a native integration with a Malware Information Sharing Platform (MISP). You are working on the following detection rule to leverage the command and control (C2) indicators that were ingested into the entity graph.

What code should you add in the detection rule to filter for the domain IOCS?

Show Suggested Answer Hide Answer
Suggested Answer: B

This YARA-L rule is designed to correlate a real-time event (a DNS query, $dns) with known-bad indicators stored in the Google SecOps entity graph ($ioc). The code must correctly filter the entity graph to find the specific indicators from the custom MISP feed.

Two filters are required:

$ioc.graph.metadata.entity_type = 'DOMAIN_NAME': This line is essential to filter the entity graph for IoCs that are domains. The rule is trying to match a DNS query ($dns_query) to a known C2 domain, so the entity type must be DOMAIN_NAME.

$ioc.graph.metadata.source_type = 'ENTITY_CONTEXT': This is the key differentiator. The Google SecOps entity graph has multiple context sources. GLOBAL_CONTEXT (Option B) is for threat intelligence provided by Google (e.g., Google Threat Intelligence, Mandiant). DERIVED_CONTEXT (Option C) is for context inferred from UDM events. The prompt explicitly states the IoC feed is the organization's own 'threat intelligence feed... ingested... with... MISP.' This type of customer-provided, third-party intelligence is classified as ENTITY_CONTEXT. Adding this line ensures the rule only uses the custom MISP feed for its IoC data, as intended.

The other lines in the $ioc block, such as product_name = 'MISP', further refine this ENTITY_CONTEXT search.

(Reference: Google Cloud documentation, 'YARA-L 2.0 language syntax'; 'Context-aware detections with entity graph'; 'Populate the entity graph')


by Tasia at Nov 24, 2025, 10:03 AM

Limited Time Offer

25%

Off

Get Premium Professional Security Operations Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Francine
1 day ago
D is confusing. Why use "source type unspecified"?
upvoted 0 times
...
Jenelle
7 days ago
I like B too. "GLOBAL_CONTEXT" makes sense for our setup.
upvoted 0 times
...
Anthony
12 days ago
Option A seems off. Typo in "MDOMAlN_NAME" is a red flag.
upvoted 0 times
...
Rosalind
17 days ago
Agreed! "DOMAIN_NAME" is the right format.
upvoted 0 times
...
Rosendo
22 days ago
I’m not convinced about C, the entity type looks wrong.
upvoted 0 times
...
Jamie
27 days ago
I think A has a typo, not sure it’ll work.
upvoted 0 times
...
Tracie
2 months ago
Option B looks correct for filtering domain IOCs.
upvoted 0 times
...
Ressie
2 months ago
B is the way to go. Can't go wrong with the "GLOBAL_CONTEXT" source type.
upvoted 0 times
...
Mirta
2 months ago
Haha, "source type unspecified" - that's a good one!
upvoted 0 times
...
Katie
2 months ago
I'm going with B as well. Looks like the proper syntax for the detection rule.
upvoted 0 times
...
Aide
2 months ago
Option B seems to be the right answer.
upvoted 0 times
...
Eric
2 months ago
I’m leaning towards option A, but I’m uncertain about the source type. Was it "GLOBAL_CONTEXT" or something else?
upvoted 0 times
...
Kathryn
3 months ago
I feel like "D0MAIN_NAME" in option C is a typo, but I can't recall if that would affect the rule's functionality.
upvoted 0 times
...
Nicolette
3 months ago
I think option B looks familiar; it seems to match the format we practiced with similar questions about filtering IOCs.
upvoted 0 times
...
Dominga
3 months ago
I remember we discussed the importance of using the correct entity type for domains, but I'm not sure if "DOMAIN_NAME" is case-sensitive in this context.
upvoted 0 times
...
Reita
3 months ago
Alright, I'm feeling confident about this one. I'll go with option B since it looks like the correct combination of entity_type and source_type for filtering domain IOCs.
upvoted 0 times
...
Renay
3 months ago
I think I've got a good handle on this. The key is to look for the "DOMAIN_NAME" entity_type and the appropriate source_type. I'll double-check the options carefully.
upvoted 0 times
...
Josue
3 months ago
I'm a bit confused by the different source_type options. I'll need to make sure I understand the differences between "GLOBAL_CONTEXT", "DERIVED_CONTEXT", and "source type unspecified".
upvoted 0 times
...
Queen
4 months ago
B) looks correct to me.
upvoted 0 times
...
Sabra
4 months ago
I think option B looks solid. Clear and straightforward.
upvoted 0 times
...
Adelina
4 months ago
Definitely going with B, it’s the cleanest option!
upvoted 0 times
...
Angelo
4 months ago
Wait, why is D using an asterisk? Seems off.
upvoted 0 times
...
Leonora
5 months ago
Okay, let me see here. The question is asking about filtering for domain IOCs, so I'll need to look for the right entity_type and source_type values.
upvoted 0 times
...
Carol
5 months ago
Hmm, this looks like a tricky one. I'll need to carefully read through the options and think about the differences in the source_type values.
upvoted 0 times
Thora
4 months ago
I agree, the source_type values are key here.
upvoted 0 times
...
...

Save Cancel