🔥 3-day streak
Professional Security Operations Engineer66 / 241
Question 66 of 241

A security engineer onboards a new firewall vendor whose syslog output does not match any built-in Google SecOps log type. Ingestion is currently succeeding, but events land under a generic/unstructured log type and analysts complain that UDM fields like principal.ip, target.ip, and security_result.action are empty, breaking existing detection rules. The engineer wants events to populate these UDM fields correctly with the least long-term maintenance burden. What is the most appropriate action?

Reviewed for accuracy · Report an issueNext question