Question 10 - Google Security-Operations-Engineer Real Exam Questions [March 2026 Update]

Q: 10

You have a custom-built YARA-L rule in Google Security Operations (SecOps) correlating observed IP addresses in network and EDR logs against threat intelligence findings ingested from a Malware Information Sharing Platform (MISP) over a 2-minute time window. Your company's SOC reported that the rule generates too many false positives. You want to reduce the number of false positives generated by the rule while continuing to use threat intelligence. What should you do?

Options

Correct Answer:

Explanation

The most effective method to reduce false positives from a threat intelligence-based rule is to increase its specificity. Threat intelligence feeds often contain indicators with varying confidence and severity levels. By modifying the YARA-L rule to only trigger on indicators where the Unified Data Model (UDM) field graph.metadata.threat.severity is marked as "critical" or "high," you filter out lower-confidence or informational indicators that are common sources of noise. This directly addresses the issue of excessive false positives while retaining the core function of using high-fidelity threat intelligence for alerting.

Why Incorrect

A. Converting the rule to a dashboard does not reduce false positives; it only changes the output from an alert to a visualization, failing to solve the underlying issue of the noisy rule logic.

C. The riskscore is typically an outcome of a detection, contributing to an entity's overall risk. Using it as a primary filter within the rule itself is not the standard or most direct way to tune the rule's event-matching logic.

D. Increasing the match window from 2 minutes to 24 hours would likely increase, not decrease, the number of false positives by expanding the pool of events for correlation.

References

1. Google Cloud Documentation

Unified Data Model field list: The graph.metadata.threat.severity field is defined as part of the UDM schema to represent the severity of a threat associated with an indicator. This confirms the field's existence and intended use for filtering.

Source: Google Cloud

Chronicle Security Operations

"Unified Data Model field list"

Section on Threat.

2. Google Cloud Documentation

YARA-L 2.0 language syntax: The syntax for YARA-L rules allows for conditions in the events section to filter events based on the values of specific UDM fields. A condition like $event.graph.metadata.threat.severity = "CRITICAL" is a standard implementation.

Source: Google Cloud

Chronicle Security Operations

"YARA-L 2.0 language syntax"

Section: "Events section".

3. Google Cloud Documentation

Detection engine best practices: Official guidance on reducing false positives in rules emphasizes adding more specific criteria to the rule logic. Filtering on threat severity is a primary example of making a rule more specific and reducing noise from lower-priority intelligence.

Source: Google Cloud

Chronicle Security Operations

"Best practices for rules and detections"

Section: "Reduce false positives".

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE