Data management
Drill 20 practice questions focused entirely on Data management for the Google Cloud PSOE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your organization forwards logs from a niche in-house web application firewall to Google SecOps. The logs arrive successfully, but analysts report that key fields such as source IP, blocked URL, and rule ID appear only as raw text and cannot be searched or used in detection rules. There is no default parser for this custom log format. What is the most appropriate action to make these fields usable in searches and rules?
Your SOC maintains a curated inventory of business-critical server hostnames and their asset owners in a spreadsheet. Analysts want detections and searches in Google SecOps to automatically flag events involving these critical assets and surface the owning team, without modifying the raw logs or rewriting parsers for every log source. Which approach best meets this requirement?
Your organization ingests firewall, DNS, and endpoint telemetry into Google SecOps. Compliance requires that all security logs be searchable for 1 year, but your team has determined that raw DNS logs generate the highest volume and are rarely needed after 90 days for active investigations. Leadership wants to control storage costs while still meeting the 1-year searchability mandate. What is the most appropriate way to configure data retention in Google SecOps?
A security operations team ingests high-volume Zeek connection logs into Google SecOps. Analysts complain that the raw per-connection events flood UDM search and inflate storage, yet most individual connection records are never referenced during investigations. Only aggregated session-level context and anomalous flows matter for detections. The team wants to reduce ingestion noise and cost while preserving the ability to hunt on meaningful network activity. Which approach best addresses this data management challenge?
A security operations team wants detections in Google SecOps to automatically incorporate business context so that alerts on high-value hosts (e.g., domain controllers, payment servers) can be triaged first. They already ingest their CMDB export, which maps hostnames to asset owner, business unit, and criticality tier. The team wants this business context to appear as enrichment on UDM events at detection time, and to be usable within YARA-L rule logic. Which approach best meets this requirement?
A security operations engineer ingests logs from a widely-used firewall vendor that already has a Google SecOps-provided default parser. The engineer notices that a newly added custom field in the firewall's log format (introduced after a firmware upgrade) is not being extracted into UDM. The engineer wants to capture this new field while keeping the reliability and future maintenance benefits of Google's managed parser. What is the most appropriate approach?
A security operations engineer is onboarding dozens of new log sources into Google SecOps. Leadership has mandated that authentication and identity logs (from the corporate IdP and VPN gateways) must always be searchable and processed ahead of high-volume, lower-value logs such as verbose CDN access logs during periods of ingestion backpressure. Which approach best ensures the identity-related telemetry is consistently prioritized within the SecOps data pipeline?
A security operations team ingests logs from dozens of sources into Google SecOps. Their monthly ingestion budget is fixed, but a newly onboarded verbose Windows DHCP log source is consuming a disproportionate share of the quota, crowding out higher-value authentication and EDR telemetry. The team must keep the DHCP data available for occasional IP-to-host attribution during investigations but does not need it in real-time detection rules. What is the MOST appropriate approach to align ingestion with detection priorities?
A security operations engineer is onboarding a new firewall vendor into Google SecOps. The vendor produces high-volume traffic logs, but no default parser exists for this exact product, and the team has not yet built a custom parser. Leadership requires that these logs be searchable and retained immediately for a compliance audit next week, while detection engineers work on parsing in parallel. Which ingestion approach best satisfies the immediate requirement without blocking future normalization?
A security engineer onboards a new firewall vendor whose syslog output does not match any built-in Google SecOps log type. Ingestion is currently succeeding, but events land under a generic/unstructured log type and analysts complain that UDM fields like principal.ip, target.ip, and security_result.action are empty, breaking existing detection rules. The engineer wants events to populate these UDM fields correctly with the least long-term maintenance burden. What is the most appropriate action?
A security operations engineer is onboarding a new firewall appliance into Google SecOps. The vendor sends syslog messages in a hybrid format: a standard syslog header followed by structured CEF-style key-value pairs (e.g., src=10.1.1.5 dst=8.8.8.8 act=blocked). There is no prebuilt parser for this appliance. The engineer needs UDM events where network.direction, principal.ip, and target.ip are populated so that existing network detection rules fire correctly. Which approach best achieves reliable normalization for this source?
A Security Operations Engineer notices that a newly onboarded firewall log source in Google SecOps shows a high volume of events landing in the parser error/validation error state rather than being normalized into UDM. The raw logs are arriving successfully and feed health is green. Detections that depend on this source are not firing. What is the MOST appropriate first action to restore normalized data flow?
A firewall vendor ships logs in CEF format, and your team maintains a parser extension that extracts several custom device-event fields into UDM. After a firmware upgrade, the vendor begins emitting a NEW CEF extension key (deviceCustomString5) carrying the threat category, while the older key it replaced still appears in logs from devices that have not yet been upgraded. Detection engineers need the threat category reliably mapped to security_result.category_details for BOTH firmware versions during the multi-month rollout. What is the most appropriate approach in Google SecOps?
Your SOC uses a Google SecOps default parser for a firewall vendor's logs, but the vendor recently added a proprietary threat-verdict field that the default parser does not map. You author a parser extension to map this field into a UDM security_result field. Two weeks later, Google publishes an updated release of the default parser that adds native mapping for several other new fields but still does not include the threat-verdict field. What happens to your parser extension after the default parser update, and what should you verify?
A SecOps engineer ingests a high-volume proxy log source that is already mapped by a default parser. Analysts frequently pivot on a vendor-specific field, 'x-forwarded-user', that the default parser leaves in the raw log but does not map to any UDM field. As a result, analysts must run slow raw-log regex searches to find events by that user identity, and these searches routinely time out during investigations. What is the most appropriate way to make this field efficiently searchable without disrupting the existing default parser behavior?
Your organization ingests firewall logs from a vendor that has a built-in default parser in Google SecOps. After a firmware upgrade, the vendor added three new fields to its log format that carry important threat context (application category, user identity, and TLS version). The default parser ignores these new fields, and you cannot modify Google-managed default parsers directly. Detection engineers need these fields normalized into UDM without disrupting the existing, working default parser mappings. What is the most appropriate approach?
Your organization ingests logs from a niche network access control (NAC) appliance that Google SecOps does not have a default parser for. The appliance emits well-structured JSON, and your detection engineers need the events searchable in UDM within the current sprint. The SecOps admin asks how to establish reliable parsing for this source with the least long-term maintenance burden while ensuring the data is normalized correctly. What is the most appropriate approach?
A SecOps engineer discovers that a critical firewall vendor's log field, 'threat_signature_id', was never mapped to UDM by the existing custom parser. Six months of these logs are already ingested. The security team now needs this field populated in UDM so detection rules can reference it going forward, but they also want the historical events to reflect the new mapping. Which approach correctly meets both requirements?
A security engineer at a logistics company ingests DHCP lease logs into Google SecOps. The parser correctly extracts the client MAC address and assigned IP into UDM fields. However, analysts complain that events lack the hostname and asset owner, which are maintained in an external CMDB and are needed for triage. The engineer wants asset owner and hostname to appear on the DHCP events without modifying the raw logs or the vendor's export. Which approach correctly satisfies this requirement in Google SecOps?
A SecOps engineer is onboarding a new firewall log source. The security team needs to run detections that identify blocked connections by source IP, destination IP, and action within the first week, but the vendor logs contain over 200 fields and building a complete custom parser will take several sprints. What is the most effective approach to deliver detection value quickly while planning for full coverage?
More PSOE practice
Keep going with the other Professional Security Operations Engineer domains, or take a full timed mock exam.
← Back to PSOE overview