Exam Security-Operations-Engineer Topic 2 Question 46 Discussion
Actual exam question for Google's Security-Operations-Engineer exam
Question #: 46
Topic #: 2
Question #: 46
Topic #: 2
You are part of a cybersecurity team at a large multinational corporation that uses Google Security Operations (SecOps). You have been tasked with identifying unknown command and control nodes (C2s) that are potentially active in your organization's environment. You need to generate a list of potential matches for the unknown C2s within the next 24 hours. What should you do?
Suggested Answer: D Vote an answer
Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract Google Security Operations Engineer documents:
The key requirement is to hunt for unknown C2 nodes. This implies that the indicators will not exist in any current threat intelligence feed. Therefore, Option C is incorrect as it only hunts for known IoCs. Option A is also incorrect as Security Health Analytics (SHA) is a posture management tool, not a threat hunting tool.
Option D describes a classic and effective hypothesis-driven threat hunt. Attackers frequently use Newly Registered Domains (NRDs) for their C2 infrastructure, as these domains have no established reputation and are not yet on blocklists.
Google Security Operations (SecOps) allows an engineer to write a YARA-L rule that joins real-time event data (UDM network traffic) with contextual data (the entity graph or a custom lookup). An engineer can ingest WHOIS data or a feed of NRDs as context. The YARA-L rule would then compare outbound network connections against this context, looking for any communication with domains registered within the last 30-
90 days. By executing this rule as a retrohunt, the engineer can scan all historical data to "generate a list of potential matches" for this high-risk, anomalous behavior, which is a strong indicator of unknown C2 activity.
(Reference: Google Cloud documentation, "YARA-L 2.0 language syntax"; "Run a YARA-L retrohunt"; " Context-aware detections with entity graph")
The key requirement is to hunt for unknown C2 nodes. This implies that the indicators will not exist in any current threat intelligence feed. Therefore, Option C is incorrect as it only hunts for known IoCs. Option A is also incorrect as Security Health Analytics (SHA) is a posture management tool, not a threat hunting tool.
Option D describes a classic and effective hypothesis-driven threat hunt. Attackers frequently use Newly Registered Domains (NRDs) for their C2 infrastructure, as these domains have no established reputation and are not yet on blocklists.
Google Security Operations (SecOps) allows an engineer to write a YARA-L rule that joins real-time event data (UDM network traffic) with contextual data (the entity graph or a custom lookup). An engineer can ingest WHOIS data or a feed of NRDs as context. The YARA-L rule would then compare outbound network connections against this context, looking for any communication with domains registered within the last 30-
90 days. By executing this rule as a retrohunt, the engineer can scan all historical data to "generate a list of potential matches" for this high-risk, anomalous behavior, which is a strong indicator of unknown C2 activity.
(Reference: Google Cloud documentation, "YARA-L 2.0 language syntax"; "Run a YARA-L retrohunt"; " Context-aware detections with entity graph")
by Wendy at Mar 03, 2026, 05:06 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).