Exam Security-Operations-Engineer Topic 1 Question 8 Discussion
Actual exam question for Google's Security-Operations-Engineer exam
Question #: 8
Topic #: 1
Question #: 8
Topic #: 1
You are developing a playbook to respond to phishing reports from users at your company. You configured a UDM query action to identify all users who have connected to a malicious domain. You need to extract the users from the UDM query and add them as entities in an alert so the playbook can reset the password for those users. You want to minimize the effort required by the SOC analyst. What should you do?
Suggested Answer: B Vote an answer
Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:
The key requirement is to *automate* the extraction of data to *minimize analyst effort*. This is a core function of Google Security Operations SOAR (formerly Siemplify). The **Siemplify integration** provides the foundational playbook actions for case management and entity manipulation.
The **`Create Entity`** action is designed to programmatically add new entities (like users, IPs, or domains) to the active case. To make this action automatic, the playbook developer must use the **Expression Builder**. The Expression Builder is the tool used to parse the JSON output from a previous action (the UDM query) and dynamically map the results (the list of usernames) into the parameters of a subsequent action.
By using the Expression Builder to configure the `Entities Identifier` parameter of the `Create Entity` action, the playbook automatically extracts all `principal.user.userid` fields from the UDM query results and adds them to the case. These new entities can then be automatically passed to the next playbook step, such as
"Reset Password."
Options A and C are incorrect because they are **manual** actions. They require an analyst to intervene, which does *not* minimize effort. Option D is incorrect as it creates multiple, unnecessary cases, flooding the queue instead of enriching the single, original phishing case.
*(Reference: Google Cloud documentation, "Google SecOps SOAR Playbooks overview"; "Using the Expression Builder"; "Marketplace and Integrations")*
***
The key requirement is to *automate* the extraction of data to *minimize analyst effort*. This is a core function of Google Security Operations SOAR (formerly Siemplify). The **Siemplify integration** provides the foundational playbook actions for case management and entity manipulation.
The **`Create Entity`** action is designed to programmatically add new entities (like users, IPs, or domains) to the active case. To make this action automatic, the playbook developer must use the **Expression Builder**. The Expression Builder is the tool used to parse the JSON output from a previous action (the UDM query) and dynamically map the results (the list of usernames) into the parameters of a subsequent action.
By using the Expression Builder to configure the `Entities Identifier` parameter of the `Create Entity` action, the playbook automatically extracts all `principal.user.userid` fields from the UDM query results and adds them to the case. These new entities can then be automatically passed to the next playbook step, such as
"Reset Password."
Options A and C are incorrect because they are **manual** actions. They require an analyst to intervene, which does *not* minimize effort. Option D is incorrect as it creates multiple, unnecessary cases, flooding the queue instead of enriching the single, original phishing case.
*(Reference: Google Cloud documentation, "Google SecOps SOAR Playbooks overview"; "Using the Expression Builder"; "Marketplace and Integrations")*
***
by Leopold at Nov 14, 2025, 07:10 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).