Google Cloud Professional Security Operations Engineer — Question 4

Your organization's Google Security Operations (SecOps) tenant is ingesting a vendor's firewall logs in its default JSON format using the Google-provided parser for that log. The vendor recently released a patch that introduces a new field and renames an existing field in the logs. The parser does not recognize these two fields and they remain available only in the raw logs, while the rest of the log is parsed normally. You need to resolve this logging issue as soon as possible while minimizing the overall change management impact. What should you do?

Answer options

• A. Write a code snippet, and deploy it in a parser extension to map both fields to UDM.
• B. Use the web interface-based custom parser feature in Google SecOps to copy the parser, and modify it to map both fields to UDM.
• C. Deploy a third-party data pipeline management tool to ingest the logs, and transform the updated fields into fields supported by the default parser.
• D. Use the Extract Additional Fields tool in Google SecOps to convert the raw log entries to additional fields.

Correct answer: D

Explanation

Option D is correct because the Extract Additional Fields tool allows for quick extraction and conversion of raw log entries into additional fields, addressing the issue with minimal disruption. The other options involve more extensive changes, such as writing code or deploying new tools, which could lead to higher change management impacts.