nerdexam
Google

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER · Question #56

PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Question #56: Real Exam Question with Answer & Explanation

The correct answer is D. Create a parser extension that maps the missing source fields to the correct UDM fields and. The correct approach is to create a parser extension that maps the missing source fields (e.g., DNS query names and event type) to the appropriate UDM fields and attach it to the existing parser. Parser extensions allow you to customize field mappings without replacing the defaul

Question

Your team has onboarded a new log source from a third-party DNS filtering solution. After ingestion, you observe that key UDM fields such as network.dns.questions.name and metadata.product_event_type are missing from the parsed events in Google Security Operations (SecOps). You suspect that the default parser does not fully align with the source format. You need to ensure these fields are available for downstream detection rules that rely on DNS query telemetry and event categorization. What should you do?

Options

  • AModify the ingestion source definition to remap raw fields directly to UDM by using the UDM
  • BEnable asset enrichment for the log source to infer missing fields based on correlated host
  • CUse a custom parser that outputs all fields as raw JSON for detection.
  • DCreate a parser extension that maps the missing source fields to the correct UDM fields and

Explanation

The correct approach is to create a parser extension that maps the missing source fields (e.g., DNS query names and event type) to the appropriate UDM fields and attach it to the existing parser. Parser extensions allow you to customize field mappings without replacing the default parser, ensuring that downstream detections relying on DNS telemetry and event categorization

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-SECURITY-OPERATIONS-ENGINEER Practice