Comprehensive and Detailed Explanation
The correct answers are B and D, as they accurately describe the two primary functions of a modern SecOps platform: SIEM (Detection) and SOAR (Response).
Option B: (Detection Strategy) A SIEM's fundamental purpose is to perform detection. To do this, it must first ingest telemetry (logs) as events. This is the foundational step for any detection and response strategy. Logs from all sources—on-premises (e.g., firewalls, Active Directory) and multi-cloud (e.g., AWS CloudTrail, Azure Activity Logs)—are ingested into Google SecOps, normalized into the Unified Data Model (UDM), and stored as events. This is what allows detection rules to run. (Option C is incorrect as logs are events, not entities).
Option D: (Response Strategy) A SOAR's fundamental purpose is to orchestrate and automate the response to a detection. A key part of this response is event enrichment (or more specifically, observable enrichment). When an alert is ingested by the SOAR, a playbook runs. This playbook uses integrations (e.g., with Mandiant or VirusTotal, which are part of GTI) to query for real-time context on the observables (IPs, hashes, domains) in the alert. This enrichment helps an analyst make a decision or allows the playbook to automate a containment action.
Option A is incorrect because GTI is ingested as context (in the entity graph and Fusion Feed), not as events. Option E is incorrect because "entity enrichment" (e.g., adding user data from AD) happens at the SIEM ingestion level, whereas SOAR integrations perform on-demand enrichment for alerts/events.
Exact Extract from Google Security Operations Documents:
Google SecOps data ingestion: Google Security Operations ingests customer logs, normalizes the data, and detects security alerts. Google SecOps ingests data using... Forwarders, Bindplane agent, Ingestion APIs, Google Cloud. Parsers convert logs from customer systems into a Unified Data Model (UDM) events.
Integrate Mandiant Threat Intelligence with Google SecOps: This document provides guidance on how to integrate Mandiant Threat Intelligence with Google Security Operations (Google SecOps). After you configure an integration instance, you can use it in playbooks.
Actions:
Enrich Entities: Use the Enrich Entities action to enrich entities using the information from Mandiant Threat Intelligence. This action runs on the following Google SecOps entities: Hostname, IP Address, URL, File Hash.
Enrich IOCs: Use this action to enrich indicators of compromise.
[References:, Google Cloud Documentation: Google Security Operations > Documentation > SecOps > Google SecOps data ingestion, Google Cloud Documentation: Google Security Operations > Documentation > SOAR > Marketplace integrations > Mandiant Threat Intelligence, , ]
