🔥 3-day streak
Professional Security Operations Engineer67 / 241
Question 67 of 241
A security operations engineer is onboarding a new firewall appliance into Google SecOps. The vendor sends syslog messages in a hybrid format: a standard syslog header followed by structured CEF-style key-value pairs (e.g., src=10.1.1.5 dst=8.8.8.8 act=blocked). There is no prebuilt parser for this appliance. The engineer needs UDM events where network.direction, principal.ip, and target.ip are populated so that existing network detection rules fire correctly. Which approach best achieves reliable normalization for this source?
Reviewed for accuracy · Report an issueNext question