🔥 3-day streak
Professional Security Operations Engineer83 / 241
Question 83 of 241

A SecOps parser engineer is authoring a custom parser for a new authentication appliance. The raw logs contain successful and failed interactive logins. Detection engineers report that rules referencing USER_LOGIN events never match this source, even though the parser runs without errors and populates principal and target fields correctly. Which parser configuration is the most likely root cause?

Reviewed for accuracy · Report an issueNext question