Your organization's Google Security Operations (SecOps) tenant is ingesting a vendor's firewall logs in its default JSON format using the Google-provided parser for that log. The vendor recently released a patch that introduces a new field and renames an existing field in the logs. The parser does not recognize these two fields and they remain available only in the raw logs, while the rest of the log is parsed normally. You need to resolve this logging issue as soon as possible while minimizing the overall change management impact. What should you do?
Correct Answer: D
Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents: The correct, low-impact solution for augmenting a Google-managed parser is to use a parser extension. The problem states that the base parser is still working, but needs to be supplemented to map two new fields. Copying the entire parser (Option A) is a high-impact, high-maintenance solution ("Customer Specific Parser"). This action makes the organization responsible for all future updates and breaks the link to Google's managed updates, which is not a minimal-impact solution. The intended, modern solution is the parser extension. This feature allows an engineer to write a small, targeted snippet of Code-Based Normalization (CBN) code that executes after the Google-managed base parser. This extension code can access the raw_log and perform the specific logic needed to extract the two unmapped fields and assign them to their proper Universal Data Model (UDM) fields. This approach is the fastest to deploy and minimizes change management impact because the core parser remains managed and updated by Google, while the extension simply adds the custom logic on top. Option B, "Extract Additional Fields," is a UI-driven feature, but the underlying mechanism that saves and deploys this logic is the parser extension. Option D is the more precise description of the technical solution. (Reference: Google Cloud documentation, "Manage parsers"; "Parser extensions"; "Code-Based Normalization (CBN) syntax")
Security-Operations-Engineer Exam Question 22
Your organization requires the SOC director to be notified by email of escalated incidents and their results before a case is closed. You need to create a process that automatically sends the email when an escalated case is closed. You need to ensure the email is reliably sent for the appropriate cases. What process should you use?
Correct Answer: B
Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents: The most reliable, automated, and low-maintenance solution is to use the native Google Security Operations (SecOps) SOAR capabilities. A playbook block is a reusable, automated workflow that can be attached to other playbooks, such as the standard case closure playbook. This block would be configured with a conditional action. This action would check a case field (e.g., case. escalation_status == "escalated"). If the condition is true, the playbook automatically proceeds down the "Yes" branch, which would use an integration action (like "Send Email" for Gmail or Outlook) to send the case details to the director. After the email action, it would proceed to the "Close Case" action. If the condition is false (the case was not escalated), the playbook would proceed down the "No" branch, which would skip the email step and immediately close the case. This method ensures the process is "reliably sent" and "automatic," as it's built directly into the case management logic. Options C and D are incorrect because they rely on manual analyst actions, which are not reliable and violate the "automatic" requirement. Option A is a custom, external solution that adds unnecessary complexity and maintenance overhead compared to the native SOAR playbook functionality. (Reference: Google Cloud documentation, "Google SecOps SOAR Playbooks overview"; "Playbook blocks"; " Using conditional logic in playbooks")