Exam Security-Operations-Engineer Topic 3 Question 2 Discussion

Actual exam question for Google's Security-Operations-Engineer exam
Question #: 2
Topic #: 3
You are using Google Security Operations (SecOps) to hunt for signs of lateral movement through Remote Desktop Protocol (RDP) in your organization. You suspect that a compromised account was used to access multiple internal systems within a short time window. You want to construct a UDM-based search to identify this activity. How should you build this query? (Choose two.)

Suggested Answer: B,C Vote an answer

Filtering for events using protocol-level attributes that indicate RDP connections ensures that the search specifically targets RDP sessions.
Grouping events by user identity and time allows you to identify repeated access patterns, which is a strong indicator of lateral movement when a single account accesses multiple systems in a short timeframe.

by Bess at Jul 02, 2026, 07:30 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10