Exam Security-Operations-Engineer Topic 2 Question 51 Discussion

Actual exam question for Google's Security-Operations-Engineer exam
Question #: 51
Topic #: 2

During a proactive threat hunting exercise, you discover that a critical production project has an external identity with a highly privileged IAM role. You suspect that this is part of a larger intrusion, and it is unknown how long this identity has had access. All logs are enabled and routed to a centralized organization- level Cloud Logging bucket, and historical logs have been exported to BigQuery datasets.
You need to determine whether any actions were taken by this external identity in your environment.
What should you do?

A. Analyze IAM recommender insights and Security Command Center (SCC) findings associated with the external identity. B. Use Policy Analyzer to identify the resources that are accessible by the external identity. Examine the logs related to these resources in the centralized Cloud Logging bucket and the BigQuery dataset. C. Execute queries against the centralized Cloud Logging bucket and the BigQuery dataset to filter for logs where the principal email matches the external identity. D. Analyze VPC Flow Logs exported to BigQuery, and correlate source IP addresses with potential login events for the external identity.

Suggested Answer: C Vote an answer

Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:
To definitively determine "whether any actions were taken" by a specific identity, you must search the audit logs directly for that identity's activity. The scenario specifies two data repositories: a centralized Cloud Logging bucket (for recent/retention-period logs) and BigQuery (for historical logs).
According to Google Cloud Observability and Security Operations documentation, Cloud Audit Logs (specifically Admin Activity and Data Access logs) capture "Who did what, where, and when." The primary identifier for the actor in these logs is the protoPayload.authenticationInfo.principalEmail.
Option C is the only method that directly queries the activity logs for the specific actor.
* Cloud Logging: You would use the Logging Query Language to filter: protoPayload.authenticationInfo.
principalEmail="[IDENTITY_EMAIL]".
* BigQuery: You would use SQL to query the exported tables: SELECT * FROM [DATASET.TABLE] WHERE protopayload_auditlog.authenticationInfo.principalEmail = "[IDENTITY_EMAIL]".
Options A and B focus on access potential (Recommender/Policy Analyzer) rather than historical actions.
Option D (VPC Flow Logs) records network traffic 5-tuples and does not contain identity information (principal email), making it unsuitable for attributing API actions to a specific user.
References: Google Cloud Documentation > Cloud Logging > Logging query language; Google Cloud Documentation > Cloud Audit Logs > Audit log fields

by Bennett at Jun 09, 2026, 12:19 PM

Limited Time Offer

15%

Off

Get Premium Security-Operations-Engineer Questions as Interactive Self Test Engine or PDF

Comments

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

RECENT DISCUSSIONS

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the brands.