🔥 3-day streak
Professional Security Operations Engineer71 / 241
Question 71 of 241

A SecOps engineer ingests a high-volume proxy log source that is already mapped by a default parser. Analysts frequently pivot on a vendor-specific field, 'x-forwarded-user', that the default parser leaves in the raw log but does not map to any UDM field. As a result, analysts must run slow raw-log regex searches to find events by that user identity, and these searches routinely time out during investigations. What is the most appropriate way to make this field efficiently searchable without disrupting the existing default parser behavior?

Reviewed for accuracy · Report an issueNext question