Exam Security-Operations-Engineer Topic 5 Question 75 Discussion
Actual exam question for Google's Security-Operations-Engineer exam
Question #: 75
Topic #: 5
Question #: 75
Topic #: 5
You are ingesting and parsing logs from an SSO provider and an on-premises appliance using Google Security Operations (SecOps). Users are tagged as "restricted" by an internal process.
Restrictions last five days from the most recent flagging time. You need to create a rule to detect when restricted users log into the appliance. Your solution must be quickly implemented and easily maintained. What should you do?
Restrictions last five days from the most recent flagging time. You need to create a rule to detect when restricted users log into the appliance. Your solution must be quickly implemented and easily maintained. What should you do?
Suggested Answer: C Vote an answer
The best solution is to ingest the user flags as custom enrichment data using a feed and then use a multi-event detection rule to detect logins from users flagged in the entity graph. This approach is quick to implement, integrates cleanly with Google SecOps, and ensures that restricted user flags are dynamically correlated without constant manual updates or complex rule rebuilding.
by Jack at Jun 05, 2026, 09:54 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).