Google Cloud Certified - Professional Security Operations Engineer (PSOE) Exam Question and Answers

Google Cloud Certified - Professional Security Operations Engineer (PSOE) Exam

Last Update Jan 14, 2026
Total Questions : 60

We are offering FREE Security-Operations-Engineer Google exam questions. All you do is to just go and sign up. Give your details, prepare Security-Operations-Engineer free exam questions and then go for complete pool of Google Cloud Certified - Professional Security Operations Engineer (PSOE) Exam test questions that will help you more.

Security-Operations-Engineer PDF

$36.75 ~~$104.99~~

Add to Cart

Security-Operations-Engineer Testing Engine

$43.75 ~~$124.99~~

Add to Cart

Security-Operations-Engineer PDF + Engine

Security-Operations-Engineer PDF + Testing Engine

$57.75 ~~$164.99~~

Add to Cart

Questions 1

You are developing a security strategy for your organization. You are planning to use Google Security Operations (SecOps) and Google Threat Intelligence (GTI). You need to enhance the detection and response across multi-cloud and on-premises systems. How should you integrate these products?

Choose 2 answers

Options:

Ingest GTI IOCs into Google SecOps as security events.

Ingest on-premises and cloud security logs into Google SecOps SIEM as events.

Ingest on-premises and cloud security logs into Google SecOps SIEM as entities.

Use Google SecOps SOAR integrations with GTI for event enrichment.

Use Google SecOps SOAR integrations with GTI for entity enrichment.

Discussion 0

Answer:

B, D

Explanation:

Comprehensive and Detailed Explanation

The correct answers are B and D, as they accurately describe the two primary functions of a modern SecOps platform: SIEM (Detection) and SOAR (Response).

Option B: (Detection Strategy) A SIEM's fundamental purpose is to perform detection. To do this, it must first ingest telemetry (logs) as events. This is the foundational step for any detection and response strategy. Logs from all sources—on-premises (e.g., firewalls, Active Directory) and multi-cloud (e.g., AWS CloudTrail, Azure Activity Logs)—are ingested into Google SecOps, normalized into the Unified Data Model (UDM), and stored as events. This is what allows detection rules to run. (Option C is incorrect as logs are events, not entities).

Option D: (Response Strategy) A SOAR's fundamental purpose is to orchestrate and automate the response to a detection. A key part of this response is event enrichment (or more specifically, observable enrichment). When an alert is ingested by the SOAR, a playbook runs. This playbook uses integrations (e.g., with Mandiant or VirusTotal, which are part of GTI) to query for real-time context on the observables (IPs, hashes, domains) in the alert. This enrichment helps an analyst make a decision or allows the playbook to automate a containment action.

Option A is incorrect because GTI is ingested as context (in the entity graph and Fusion Feed), not as events. Option E is incorrect because "entity enrichment" (e.g., adding user data from AD) happens at the SIEM ingestion level, whereas SOAR integrations perform on-demand enrichment for alerts/events.

Exact Extract from Google Security Operations Documents:

Google SecOps data ingestion: Google Security Operations ingests customer logs, normalizes the data, and detects security alerts. Google SecOps ingests data using... Forwarders, Bindplane agent, Ingestion APIs, Google Cloud. Parsers convert logs from customer systems into a Unified Data Model (UDM) events.

Integrate Mandiant Threat Intelligence with Google SecOps: This document provides guidance on how to integrate Mandiant Threat Intelligence with Google Security Operations (Google SecOps). After you configure an integration instance, you can use it in playbooks.

Actions:

Enrich Entities: Use the Enrich Entities action to enrich entities using the information from Mandiant Threat Intelligence. This action runs on the following Google SecOps entities: Hostname, IP Address, URL, File Hash.

Enrich IOCs: Use this action to enrich indicators of compromise.

[References:, Google Cloud Documentation: Google Security Operations > Documentation > SecOps > Google SecOps data ingestion, Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > Mandiant Threat Intelligence, , ]

Questions 2

You are managing the integration of Security Command Center (SCC) with downstream tooling. You need to pull security findings from SCC and import those findings as part of Google Security Operations (SecOps) SOAR actions. You need to configure the connection between SCC and Google SecOps.

Options:

Install the Google Rapid Response integration from the Google SecOps Marketplace. Gather information about the findings from the appropriate server.

Install the SCC integration from the Google SecOps Marketplace. Grant the SCC API the appropriate IAM roles to integrate with the Google SecOps instance. Configure this integration using a generated API key scoped to the SCC API.

Create a Pub/Sub topic with a NotificationConfig object and a push subscription for the desired finding types. Grant the Google SecOps service account the appropriate IAM roles to read from this subscription.

Create a Pub/Sub topic with a NotificationConfig object and a push subscription for the desired finding types. Create a new Google SecOps service account in the Google Cloud project, and grant this service account the appropriate IAM roles to read from this subscription. Export the credentials from IAM and import the credentials into Google SecOps SOAR.

Discussion 0

Questions 3

Your company has deployed two on-premises firewalls. You need to configure the firewalls to send logs to Google Security Operations (SecOps) using Syslog. What should you do?

Options:

Deploy a Google Ops Agent on your on-premises environment, and set the agent as the Syslog destination.

Pull the firewall logs by using a Google SecOps feed integration.

Deploy a third-party agent (e.g., Bindplane, NXLog) on your on-premises environment, and set the agent as the Syslog destination.

Set the Google SecOps URL instance as the Syslog destination.

Discussion 0

Questions 4

You are a security engineer at a managed security service provider (MSSP) that is onboarding to Google Security Operations (SecOps). You need to ensure that cases for each customer are logically separated. How should you configure this logical separation?

Options:

In Google SecOps SOAR settings, create a role for each customer.

In Google SecOps Playbooks, create a playbook for each customer.

In Google SecOps SOAR settings, create a permissions group for each customer.

In Google SecOps SOAR settings, create a new environment for each customer.

Discussion 0

Questions 5

Your company's analyst team uses a playbook to make necessary changes to external systems that are integrated with the Google Security Operations (SecOps) platform. You need to automate the task to run once every day at a specific time. You want to use the most efficient solution that minimizes maintenance overhead.

Options:

Write a custom Google SecOps SOAR job in the IDE using the code from the existing playbook actions.

Create a Cron Scheduled Connector for this use case. Configure a playbook trigger to match the cases created by the connector that runs the playbook with the relevant actions.

Create a Google SecOps SOAR request and a playbook trigger to match the request from the user to start the playbook with the relevant actions.

Use a VM to host a script that runs a playbook via an API call.

Discussion 0

Questions 6

Your organization plans to ingest logs from an on-premises MySQL database as a new log source into its Google Security Operations (SecOps) instance. You need to create a solution that minimizes effort. What should you do?

Options:

Configure and deploy a Bindplane collection agent

Configure a third-party API feed in Google SecOps.

Configure direct ingestion from your Google Cloud organization.

Configure and deploy a Google SecOps forwarder.

Discussion 0

Questions 7

You are responsible for evaluating the level of effort required to integrate a new third-party endpoint detection tool with Google Security Operations (SecOps). Your organization's leadership wants to minimize customization for the new tool for faster deployment. You need to verify that the Google SecOps SOAR and SIEM support the expected workflows for the new third-party tool. You must recommend a tool to your leadership team as quickly as possible. What should you do?

Choose 2 answers

Options:

Review the architecture of the tool to identify the cloud provider that hosts the tool.

Review the documentation to identify if default parsers exist for the tool, and determine whether the logs are supported and able to be ingested.

Identify the tool in the Google SecOps Marketplace, and verify support for the necessary actions in the workflow.

Develop a custom integration that uses Python scripts and Cloud Run functions to forward logs and orchestrate actions between the third-party tool and Google SecOps.

Configure a Pub/Sub topic to ingest raw logs from the third-party tool, and build custom YARA-L rules in Google SecOps to extract relevant security events.

Discussion 0

Answer:

B, C

Explanation:

Comprehensive and Detailed Explanation

The core task is to evaluate a new tool for fast, low-customization deployment across the entire Google SecOps platform (SIEM and SOAR). This requires checking the two main integration points: data ingestion (SIEM) and automated response (SOAR).

SIEM Ingestion (Option B): To minimize customization for the SIEM, you must verify that Google SecOps can ingest and understand the tool's logs out-of-the-box. This is achieved by checking the Google SecOps documentation for a default parser for that specific tool. If a default parser exists, the logs will be automatically normalized into the Unified Data Model (UDM) upon ingestion, requiring zero custom development.

SOAR Orchestration (Option C): To minimize customization for SOAR, you must verify that pre-built automated actions exist. The Google SecOps Marketplace contains all pre-built SOAR integrations (connectors). By finding the tool in the Marketplace, you can verify which actions (e.g., "Quarantine Host," "Get Process List") are supported, confirming that response playbooks can be built quickly without custom scripting.

Options D and E describe high-effort, custom integration paths, which are the exact opposite of the "minimize customization for faster deployment" requirement.

Exact Extract from Google Security Operations Documents:

Default parsers: Google Security Operations (SecOps) provides a set of default parsers that support many common security products. When logs are ingested from a supported product, SecOps automatically applies the correct parser to normalize the raw log data into the structured Unified Data Model (UDM) format. This is the fastest method to begin ingesting and analyzing new data sources.

Google SecOps Marketplace: The SOAR component of Google SecOps includes a Marketplace that contains a large library of pre-built integrations for common third-party security tools, including EDR, firewalls, and identity providers. Before purchasing a new tool, an engineer should verify its presence in the Marketplace and review the list of supported actions to ensure it meets the organization's automation and orchestration workflow requirements.

[References:, Google Cloud Documentation: Google Security Operations > Documentation > Ingestion > Default parsers > Supported default parsers, Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations, , ]

Questions 8

You work for an organization that operates an ecommerce platform. You have identified a remote shell on your company's web host. The existing incident response playbook is outdated and lacks specific procedures for handling this attack. You want to create a new, functional playbook that can be deployed as soon as possible by junior analysts. You plan to use available tools in Google Security Operations (SecOps) to streamline the playbook creation process. What should you do?

Options:

Use Gemini to generate a playbook based on a template from a standard incident response plan, and implement automated scripts to filter network traffic based on known malicious IP addresses.

Add instruction actions to the existing incident response playbook that include updated procedures with steps that should be completed. Have a senior analyst build out the playbook to include those new procedures.

Use the playbook creation feature in Gemini, and enter details about the intended objectives. Add the necessary customizations for your environment, and test the generated playbook against a simulated remote shell alert.

Create a new custom playbook based on industry best practices, and work with an offensive security team to test the playbook against a simulated remote shell alert.

Discussion 0

Questions 9

Your company requires PCI DSS v4.0 compliance for its cardholder data environment (CDE) in Google Cloud. You use a Security Command Center (SCC) security posture deployment based on the PCI DSS v4.0 template to monitor for configuration drift.1 This posture generates a finding indicating that a Compute Engine VM within the CDE scope has been configured with an external IP address. You need to take an immediate action to remediate the compliance drift identified by this specific SCC posture finding. What should you do?

Options:

Enable and enforce the constraints/compute.vmExternalIpAccess organization policy constraint at the project level for the project where the VM resides.

Remove the CDE-specific tag from the VM to exclude the tag from this particular PCI DSS posture evaluation scan.

Reconfigure the network interface settings for the VM to explicitly remove the assigned external IP address.

Navigate to the underlying Security Health Analytics (SHA) finding for public_ip_address on the VM. and mark this finding as fixed.

Discussion 0

Questions 10

Your organization's Google Security Operations (SecOps) tenant is ingesting a vendor's firewall logs in its default JSON format using the Google-provided parser for that log. The vendor recently released a patch that introduces a new field and renames an existing field in the logs. The parser does not recognize these two fields and they remain available only in the raw logs, while the rest of the log is parsed normally. You need to resolve this logging issue as soon as possible while minimizing the overall change management impact. What should you do?

Options:

Use the web interface-based custom parser feature in Google SecOps to copy the parser, and modify it to map both fields to UDM.

Use the Extract Additional Fields tool in Google SecOps to convert the raw log entries to additional fields.

Deploy a third-party data pipeline management tool to ingest the logs, and transform the updated fields into fields supported by the default parser.

Write a code snippet, and deploy it in a parser extension to map both fields to UDM.

Discussion 0

Questions 11

Your company is adopting a multi-cloud environment. You need to configure comprehensive monitoring of threats using Google Security Operations (SecOps). You want to start identifying threats as soon as possible. What should you do?

Options:

Use Gemini to generate YARA-L rules for multi-cloud use cases.

Use curated detections from the Cloud Threats category to monitor your cloud environment.

Use curated detections for Applied Threat Intelligence to monitor your company's cloud environment.

Ask Cloud Customer Care to provide a set of rules recommended by Google to monitor your company's cloud environment.

Discussion 0

Questions 12

Your organization uses the curated detection rule set in Google Security Operations (SecOps) for high priority network indicators. You are finding a vast number of false positives coming from your on-premises proxy servers. You need to reduce the number of alerts. What should you do?

Options:

Configure a rule exclusion for the target.ip field.

Configure a rule exclusion for the principal.ip field.

Configure a rule exclusion for the network.asset.ip field.

Configure a rule exclusion for the target.domain field.

Discussion 0

Questions 13

You are ingesting and parsing logs from an SSO provider and an on-premises appliance using Google Security Operations (SecOps). Users are tagged as "restricted" by an internal process. Restrictions last five days from the most recent flagging time. You need to create a rule to detect when restricted users log into the appliance. Your solution must be quickly implemented and easily maintained.

What should you do?

Options:

Use a Google SecOps SOAR global context value to store a list of flagged users with their corresponding time-to-live values.

Use a SOAR job to dynamically build and deploy a new version of the detection rule with the updated list of flagged users.

Store the flagged users in a data table column with their corresponding time-to-live values in a second column. Use row-based comparisons in the detection rule.

Create a regex data table to store each user and the corresponding time-to-live value in a single row, pipe-delimited, and use an "in" keyword in your detection rule.

Discussion 0

Questions 14

You are a SOC manager at an organization that recently implemented Google Security Operations (SecOps). You need to monitor your organization's data ingestion health in Google SecOps. Data is ingested with Bindplane collection agents. You want to configure the following:

• Receive a notification when data sources go silent within 15 minutes.

• Visualize ingestion throughput and parsing errors.

What should you do?

Options:

Configure automated scheduled delivery of an ingestion health report in the Data Ingestion and Health dashboard. Monitor and visualize data ingestion metrics in this dashboard.

Configure silent source alerts based on rule detections for anomalous data ingestion activity in Risk Analytics. Monitor and visualize the alert metrics in the Risk Analytics dashboard.

Configure notifications in Cloud Monitoring when ingestion sources become silent in Bindplane. Monitor and visualize Google SecOps data ingestion metrics using Bindplane Observability Pipeline (OP).

Configure silent source notifications for Google SecOps collection agents in Cloud Monitoring. Create a Cloud Monitoring dashboard to visualize data ingestion metrics.

Discussion 0

Questions 15

Your organization uses Cloud Identity as their identity provider (IdP) and is a Google Security Operations (SecOps) customer. You need to grant a group of users access to the Google SecOps instance with read-only access to all resources, including detection engine rules. How should this be configured?

Options:

Create a Google Group and add the required users. Grant the roles/chronicle.viewer IAM role to the group on the project associated with your Google SecOps instance.

Create a Google Group and add the required users. Grant the roles/chronicle.limitedViewer IAM role to the group on the project associated with your Google SecOps instance.

Create a workforce identity pool at the organization level. Grant the roles/chronicle.editor IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID principal set on the project associated with your Google SecOps instance.

Create a workforce identity pool at the organization level. Grant the roles/chronicle.limitedViewer IAM role to the principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID principal set on the project associated with your Google SecOps instance.

Discussion 0

Questions 16

You manage a large fleet of Compute Engine instances. Security Command Center (SCC) has generated a large number of CONFIDENTIAL_COMPUTING_DISABLED findings. You need to quickly tune these findings.

What should you do?

Options:

Manually mark the findings as inactive.

Disable Event Threat Detection (ETD)

Create a mute rule for the finding.

Disable the Security Health Analytics detector (SHA).

Discussion 0

Questions 17

You are a SOC manager guiding an implementation of your existing incident response plan (IRP) into Google Security Operations (SecOps). You need to capture time duration data for each of the case stages. You want your solution to minimize maintenance overhead. What should you do?

Options:

Create a Google SecOps dashboard that displays specific actions that have been run, identifies which stage a case is in, and calculates the time elapsed since the start of the case.

Configure Case Stages in the Google SecOps SOAR settings, and use the Change Case Stage action in your playbooks that captures time metrics when the stage changes.

Configure a detection rule in SIEM Rules & Detections to include logic to capture the event fields for each case with the relevant stage metrics.

Write a job in the IDE that runs frequently to check the progress of each case and updates the notes with timestamps to reflect when these changes were identified.

Discussion 0

Questions 18

You have been tasked with developing a new response process in a playbook to contain an endpoint. The new process should take the following actions:

Send an email to users who do not have a Google Security Operations (SecOps) account to request approval for endpoint containment.

Automatically continue executing its logic after the user responds.

You plan to implement this process in the playbook by using the Gmail integration. You want to minimize the effort required by the SOC analyst. What should you do?

Options:

Set the containment action to 'Manual' and assign the action to the user to execute or skip the containment action.

Set the containment action to 'Manual' and assign the action to the appropriate tier. Contact the user by email to request approval. The analyst chooses to execute or skip the containment action.

Use the 'Send Email' action to send an email requesting approval to contain the endpoint, and use the 'Wait For Thread Reply' action to receive the result. The analyst manually contains the endpoint.

Generate an approval link for the containment action and include the placeholder in the body of the 'Send Email' action. Configure additional playbook logic to manage approved or denied containment actions.

Discussion 0

New Year Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

examsbrite logo

Navigation:

Google Cloud Certified - Professional Security Operations Engineer (PSOE) Exam Security-Operations-Engineer Exam Questions with Experts Answers Updated Recently

Google Cloud Certified - Professional Security Operations Engineer (PSOE) Exam Question and Answers

Security-Operations-Engineer PDF

Security-Operations-Engineer Testing Engine

Security-Operations-Engineer PDF + Testing Engine

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Quick Links

Recently New Released Certification Exams

Site Secure