- A
Create a Cloud Monitoring alert policy that checks for failed logins in logs and sends a notification to Slack via webhook.
Why wrong: Cloud Monitoring alert policies can monitor logs metric but not with custom filtering for external IPs easily.
- B
Use Cloud Scheduler to run a batch job every hour that queries logs and sends a summary to Slack.
Why wrong: This is not real-time.
- C
Export Admin Activity audit logs to a Pub/Sub topic via a sink, and use a Cloud Function that subscribes to the topic to filter and post to Slack.
This provides real-time, scalable, and customizable notification.
- D
Enable Cloud Audit Logs and configure a log router to forward logs directly to Slack.
Why wrong: Log Router cannot send directly to Slack without a custom endpoint.
Real-Time Alert on Failed Login from Outside CIDR
This PCSE practice question tests your understanding of pcse exam topics. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company wants to monitor for suspicious login attempts across all their Google Cloud projects. They want to send a real-time Slack notification when a login fails from an IP address outside their corporate CIDR range. What is the most efficient way to achieve this?
Quick Answer
The answer is to export Admin Activity audit logs to a Pub/Sub topic via a sink, then use a Cloud Function that subscribes to the topic to filter and post to Slack. This is correct because Admin Activity audit logs capture all login events, and a Logging sink to Pub/Sub provides the real-time streaming necessary for immediate alerting, while the Cloud Function acts as a lightweight, event-driven processor to check the source IP against the corporate CIDR range and trigger the Slack webhook. On the Google Professional Cloud Security Engineer exam, this scenario tests your understanding of log-based alerting pipelines versus monitoring-based approaches—a common trap is choosing Cloud Monitoring, which cannot natively parse audit log fields for IP filtering. Remember the pipeline: logs flow to sink, sink to Pub/Sub, Pub/Sub triggers function, function filters and posts. A useful memory tip is "Sink, Stream, Slack"—the three S's of real-time security alerting.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Export Admin Activity audit logs to a Pub/Sub topic via a sink, and use a Cloud Function that subscribes to the topic to filter and post to Slack.
The correct answer is C. Admin Activity audit logs capture login events (e.g., failed logins). By creating a log sink that exports these logs to a Pub/Sub topic, you can stream them in real-time. A Cloud Function subscribed to that topic can filter for failed logins from outside the corporate CIDR and post a notification to Slack via a webhook. This approach provides real-time alerting with minimal latency and cost. Option A is incorrect because Cloud Monitoring alert policies can use log-based metrics, but they cannot directly check for failed logins in logs; you would need to create a log-based metric first, which adds complexity and may not support the IP range filter efficiently. Option B is incorrect because Cloud Scheduler runs on a schedule (e.g., hourly), which would not provide real-time notifications. Option D is incorrect because Cloud Audit Logs alone cannot directly forward logs to Slack; you need an intermediary such as Pub/Sub and a Cloud Function.
Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Create a Cloud Monitoring alert policy that checks for failed logins in logs and sends a notification to Slack via webhook.
- ✗
Use Cloud Scheduler to run a batch job every hour that queries logs and sends a summary to Slack.
Why it's wrong here
This is not real-time.
- ✓
Export Admin Activity audit logs to a Pub/Sub topic via a sink, and use a Cloud Function that subscribes to the topic to filter and post to Slack.
Why this is correct
This provides real-time, scalable, and customizable notification.
Related concept
CIDR notation defines the prefix length.
- ✗
Enable Cloud Audit Logs and configure a log router to forward logs directly to Slack.
Why it's wrong here
Log Router cannot send directly to Slack without a custom endpoint.
Common exam traps
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Detailed technical explanation
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Key takeaway
Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.
Real-world example
How this comes up in practice
A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.
Visual reference
What to study next
Got this wrong? Here's your next step.
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PCSE subnetting questions on CIDR, address ranges, and subnet selection.
Related practice questions
Related PCSE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Configuring Access Within a Cloud Solution Environment practice questions
Practise PCSE questions linked to Configuring Access Within a Cloud Solution Environment.
Ensuring Data Protection practice questions
Practise PCSE questions linked to Ensuring Data Protection.
Managing Operations in a Cloud Solution Environment practice questions
Practise PCSE questions linked to Managing Operations in a Cloud Solution Environment.
Configuring Network Security practice questions
Practise PCSE questions linked to Configuring Network Security.
Supporting Compliance Requirements practice questions
Practise PCSE questions linked to Supporting Compliance Requirements.
PCSE fundamentals practice questions
Practise PCSE questions linked to PCSE fundamentals.
PCSE scenario practice questions
Practise PCSE questions linked to PCSE scenario.
PCSE troubleshooting practice questions
Practise PCSE questions linked to PCSE troubleshooting.
Practice this exam
Start a free PCSE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCSE question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Export Admin Activity audit logs to a Pub/Sub topic via a sink, and use a Cloud Function that subscribes to the topic to filter and post to Slack. — The correct answer is C. Admin Activity audit logs capture login events (e.g., failed logins). By creating a log sink that exports these logs to a Pub/Sub topic, you can stream them in real-time. A Cloud Function subscribed to that topic can filter for failed logins from outside the corporate CIDR and post a notification to Slack via a webhook. This approach provides real-time alerting with minimal latency and cost. Option A is incorrect because Cloud Monitoring alert policies can use log-based metrics, but they cannot directly check for failed logins in logs; you would need to create a log-based metric first, which adds complexity and may not support the IP range filter efficiently. Option B is incorrect because Cloud Scheduler runs on a schedule (e.g., hourly), which would not provide real-time notifications. Option D is incorrect because Cloud Audit Logs alone cannot directly forward logs to Slack; you need an intermediary such as Pub/Sub and a Cloud Function.
What should I do if I get this PCSE question wrong?
Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related PCSE subnetting questions on CIDR, address ranges, and subnet selection.
What is the key concept behind this question?
CIDR notation defines the prefix length.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More PCSE practice questions
- Match each encryption scope to its description.
- Drag and drop the steps to set up a Private Google Access for on-premises hosts using Private Service Connect in the cor…
- A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only t…
- A company must implement data residency requirements that prohibit storing data outside the European Union. They are usi…
- A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their cor…
- A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial c…
Last reviewed: Jun 24, 2026
This PCSE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCSE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.