The Google GCP-PSOE exam preparation guide is designed to provide candidates with necessary information about the Professional Security Operations Engineer exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the Google Cloud Platform - Professional Security Operations Engineer (GCP-PSOE) exam.
It is recommended for all the candidates to refer the GCP-PSOE objectives and sample questions provided in this preparation guide. The Google Professional Security Operations Engineer certification is mainly targeted to the candidates who want to build their career in Professional domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual Google Professional Security Operations Engineer exam.
Google GCP-PSOE Exam Summary:
|
Exam Name
|
Google Professional Security Operations Engineer (GCP-PSOE) |
| Exam Code | GCP-PSOE |
| Exam Price | $200 USD |
| Duration | 120 minutes |
| Number of Questions | 50-60 multiple choice and multiple select questions |
| Passing Score | Pass / Fail (Approx 70%) |
| Schedule Exam | Google CertMetrics |
| Sample Questions | Google GCP-PSOE Sample Questions |
| Recommended Practice | Google Cloud Platform - Professional Security Operations Engineer (GCP-PSOE) Practice Test |
Google GCP-PSOE Syllabus:
| Section | Objectives |
|---|---|
Platform operations (~14% of the exam) |
|
| Enhancing detection and response. Considerations include: |
- Prioritizing telemetry sources (e.g., Security Command Center [SCC], Google Security Operations [SecOps], GTI, Cloud IDS) to detect incidents or misconfigurations within an enterprise environment - Integrating multiple tools (e.g., SCC, Google SecOps, GTI, Cloud IDS, downstream third-party system) in the security architecture to enhance detection capabilities - Justifying the use of tools with overlapping capabilities based on a set of requirements - Evaluating the effectiveness of existing tools to identify gaps in coverage and mitigate potential threats - Evaluating automation and cloud-based tools to enhance existing detection and response processes |
| Configuring access. Considerations include: |
- Configuring user and service account authentication to security tools (e.g., SCC, Google SecOps) - Configuring user and service account authorization for feature access using IAM roles and permissions - Configuring user and service account authorization for data access using IAM roles and permissions - Configuring and analyzing audit logs (e.g., Cloud Audit Logs, data access logs) for the solution - Configuring API access for automations within security tools (e.g., service accounts, API keys, SCC, Google SecOps, GTI) - Provisioning identities using Workforce Identity Federation |
Data management (~14% of the exam) |
|
| Ingesting logs for security tooling. Considerations include: |
- Determining approaches for data ingestion within security tools (e.g., SCC, Google SecOps) - Configuring an ingestion tool or features within security tools (e.g., SCC, Google SecOps) - Assessing required logs for detection and response, including automated sources, within security tools (e.g., SCC Event Threat Detection, Google SecOps) - Evaluating parsers for data ingestion in Google SecOps - Configuring parser modifications or extensions in Google SecOps - Evaluating data normalization techniques from log sources in Google SecOps - Evaluating new labels for data ingestion - Managing log and ingestion costs |
| Identifying a baseline of user, asset, and entity context. Considerations include: |
- Identifying relevant threat intelligence information in the enterprise environment - Differentiating event and entity data log sources (e.g., Cloud Audit Logs, Active Directory organizational context) - Evaluating event and entity data matches for enrichment by using aliasing elds |
Threat hunting (~19% of the exam) |
|
| Performing threat hunting across environments. Considerations include: |
- Developing queries to search across environment logs to identify anomalous activity - Analyzing user behavior to identify anomalous activity - Investigating the network, endpoints, and services to identify threat patterns or indicators of compromise (IOCs) using Google Cloud tools (e.g., Logs Explorer, Log Analytics, BigQuery, Google SecOps) - Collaborating with the incident response team to identify active threats in the environment - Developing hypotheses based on behavior, threat intel, posture, and incident data (e.g., SCC, GTI) |
| Leveraging threat intelligence for threat hunting. Considerations include: |
- Searching for IOCs within historical logs - Identifying new attack patterns and techniques in real time using threat intelligence and risk assessments (e.g., GTI, detection rules, SCC toxic combinations) - Analyzing entity risk score to identify anomalous behavior - Comparing and performing retrohunt of historical event data with newly enriched logs (e.g., - Google SecOps rules engine, BigQuery, Cloud Logging) - Searching proactively for underlying threats using threat intelligence (e.g., GTI, detection rules) |
Detection engineering (~22% of the exam) |
|
| Developing and implementing mechanisms to detect risks and identify threats. Considerations include: |
- Reconciling threat intelligence with user and asset activity - Analyzing logs and events to identify anomalous activity - Assessing suspicious behavior patterns by using detection rules and searches across various timelines - Designing detection rules that use risk values (e.g., Google SecOps reference lists) to identify threats matching risk proles - Discovering anomalous behavior of assets or users, and assigning risk values to the detections (e.g., Google SecOps Risk Analytics, curated detection rules) - Designing detection rules to discover posture or risk prole changes within the environment (e.g., SCC Security Health Analytics [SHA], SCC posture management, Google SecOps) - Identifying new or low prevalence processes, domains, and IP addresses that do not appear in threat intelligence sources using various methods (e.g., writing YARA-L rules, dashboards) - Assessing how to use entity/context data within detection rules to improve their accuracy (e.g., Google SecOps entity graph) - Configuring SCC Event Threat Detection custom detectors for IOCs |
| Leveraging threat intelligence for detection. Considerations include: |
- Scoring alerts based on the risk level of IOCs - Using latest IOCs to search within ingested security telemetry - Measuring the frequency of repetitive alerts to identify and reduce false positives |
Incident response (~21% of the exam) |
|
| Containing and investigating security incidents. Considerations include: |
- Collecting evidence on the scope of the incident, including forensic images and artifacts - Observing and analyzing alerts related to the incident using security tooling (e.g., SCC, Google SecOps) - Analyzing the scope of the incident using security tooling (e.g., Logs Explorer, Log Analytics, BigQuery, Cloud Logging, Cloud Monitoring) - Collaborating with other engineering teams for detection and long-term remediation efforts - Isolating affected services and processes to prevent further damage and spread of attack - Analyzing identified artifacts based on forensic analysis (e.g., Hash, IP, URL, Binaries) (GTI) - Performing root cause analysis using security tools (e.g., SCC, Google SecOps SIEM) |
| Building, implementing, and using response playbooks. Considerations include: |
- Determining the appropriate response steps for automation - Prioritizing high-value enrichments based on threat proles - Evaluating appropriate integrations to be leveraged by playbooks - Designing new processes in response to newly identified attack patterns from recent incidents - Recommending new orchestrations and automation playbooks based on gaps in the current implementation (e.g., Google SecOps SOAR) - Implementing mechanisms to notify analysts and stakeholders of incidents |
| Implementing the case management lifecycle. Considerations include: |
- Assigning cases into appropriate response stages - Implementing efficient workflows for case escalation - Assessing the effectiveness of case handoffs |
Observability (~10% of the exam) |
|
| Developing and maintaining dashboards and reports to provide insights. Considerations include: |
- Identifying key security analytics (e.g., metrics, KPIs, trends) - Implementing dashboards to visualize security telemetry, ingestion metrics, detections, alerts, and IOCs (e.g., Google SecOps SOAR, SIEM, Looker Studio) - Generating and customizing reports (e.g., Google SecOps SOAR, SIEM) |
| Configuring health monitoring and alerting. Considerations include: |
- Identifying important metrics for health monitoring and alerts - Creating dashboards that centralize metrics - Creating alerts with thresholds for specific metrics - Configuring notifications using Google Cloud tools (e.g., Cloud Monitoring) - Identifying health issues using Google Cloud tools (e.g., Cloud Logging) - Configuring silent source detection |
