🔥 3-day streak
Professional Security Operations Engineer69 / 241
Question 69 of 241
A firewall vendor ships logs in CEF format, and your team maintains a parser extension that extracts several custom device-event fields into UDM. After a firmware upgrade, the vendor begins emitting a NEW CEF extension key (deviceCustomString5) carrying the threat category, while the older key it replaced still appears in logs from devices that have not yet been upgraded. Detection engineers need the threat category reliably mapped to security_result.category_details for BOTH firmware versions during the multi-month rollout. What is the most appropriate approach in Google SecOps?
Reviewed for accuracy · Report an issueNext question