Question 5 - Google Security-Operations-Engineer Real Exam Questions [March 2026 Update]

Q: 5

You have been tasked with creating a YARA-L detection rule in Google Security Operations (SecOps). The rule should identify when an internal host initiates a network connection to an external IP address that the Applied Threat Intelligence Fusion Feed associates with indicators attributed to a specific Advanced Persistent Threat 41 (APT41) threat group. You need to ensure that the external IP address is flagged if it has a documented relationship to other APT41 indicators within the Fusion Feed. How should you configure this YARA-L rule?

Options

Correct Answer:

Explanation

The most effective and intended method within Google SecOps is to use a YARA-L rule to directly join live event data with threat intelligence context. This rule would correlate the external IP address from a network connection event (UDM event) with Google's Applied Threat Intelligence Fusion Feed (graph.threat entity). By joining on the IP address, the rule can then filter for specific attributes within the Fusion Feed's graph data, such as a threat.threatname of "APT41" or other linked indicators. This approach leverages the core capability of the detection engine to perform real-time enrichment and correlation, providing a highly contextual and efficient detection.

Why Incorrect

A. This uses a static, manually managed list, failing to leverage the dynamic and comprehensive Applied Threat Intelligence Fusion Feed as required by the question.

C. This condition is too broad. It would trigger on any high-confidence threat, not specifically on indicators associated with the APT41 threat group.

D. This separates detection from enrichment. The question asks for the YARA-L rule to perform the identification, not to delegate the intelligence query to a SOAR playbook.

References

1. Google Cloud Documentation

"Use threat intelligence in rules": This document explicitly describes how to join UDM events with the graph.threat entity to enrich detections. It provides examples of filtering on threat attributes like threat.threatname

which directly supports the methodology in the correct answer. (See section: "Example: Detect connections to known malicious IP addresses").

2. Google Cloud Documentation

"YARA-L 2.0 language syntax": The match section of a YARA-L rule is designed to define joins between different data sets

such as events and threat intelligence entities. This document outlines the syntax for performing such joins

which is the core mechanism described in option B. (See section: "Match section").

3. Google Cloud Documentation

"Unified Data Model field list": This reference details the fields available for rule creation. A network connection rule would use fields like principal.ip (internal host) and target.ip (external IP). The join would be between udm.target.ip and the IP address indicator in the graph.threat entity. (See fields: principal.ip

target.ip).

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE