Exam Professional Cloud Security Engineer topic 1 question 132 discussion

B because for all projects D "Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action." https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services

Ans:B,C https://cloud.google.com/logging/docs/export/aggregated_sinks: To use aggregated sinks, you create a sink in a Google Cloud organization or folder, and set the sink's includeChildren parameter to True. That sink can then route log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or Cloud projects. https://cloud.google.com/logging/docs/audit#data-access Data Access audit logs-- except for BigQuery Data Access audit logs-- are disabled by default because audit logs can be quite large. If you want Data Access audit logs to be written for Google Cloud services other than BigQuery, you must explicitly enable them

Why B. Create a Log Sink at the organization level with the includeChildren parameter and set the destination to a Pub/Sub topic is Correct: E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information. Why Not the Other Options: C Enabling Data Access logs is not required for this use case. The question only asks for login activity and configuration changes, which are captured in Admin Activity logs D. Enable Google Workspace audit logs This is not directly relevant. Google Workspace audit logs are not required for capturing Google Cloud login activity and configuration changes.

B because for all projects С

turn on audit and sink, pub-sub (near realtime)

No Workspace

why the other options are not as suitable: A: While creating a log sink at the organization level is correct, it won't include logs from child projects unless the includeChildren parameter is set to true. D: Google Workspace audit logs are separate from Google Cloud audit logs and won't provide the required information about Google Cloud console logins or API calls. E: While processing the AuthenticationInfo field is essential for identifying actors, it is not a step in the setup of the log export itself.

AE A: Setting up a Log Sink at the organization level with Pub/Sub as the destination guarantees you capture logs from all projects within your organization. E: The AuthenticationInfo field within audit log entries provides valuable details about the user or service that made the configuration change or login attempt. Your SIEM needs to be able to process this field to extract identity information for security audit purposes. B. IncludeChildren Parameter (Not Required) C. Data Access Audit Logs (Not Specific)

B & E B. Organization Level Log Sink with includeChildren parameter: Creating a log sink at the organization level with the includeChildren parameter ensures that you capture logs from all projects within the organization. Setting the destination to a Pub/Sub topic is suitable for real-time log export, meeting the requirement to export logs in near real-time to an external SIEM. E. Processing the AuthenticationInfo field: The AuthenticationInfo field in the audit log entries contains identity information, which is crucial for auditing security logs for login activity. Ensuring that the SIEM processes this field allows for a detailed analysis of who is accessing what, fulfilling the requirement to audit login activity events and API calls that modify configurations.

No mention of Google Workspace

ANS: B,D Api calls that modify configuration of resources are in Admin Activity audit logs, which are on by default (along with System Events and Deny Policies). Thus not C. You can also enable Google Workspace logs to be forwarded to Google cloud at the Org Level Same Link. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#log-types

Not mention og Google Workspace, definitely not D

To export and audit security logs for login activity events in the Google Cloud Console and API calls that modify configurations to Google Cloud resources with the specified requirements, you should take the following steps: B. Create a Log Sink at the organization level with the includeChildren parameter and set the destination to a Pub/Sub topic: This step will export related logs from all projects within the Google Cloud organization, including the logs you need. The use of Pub/Sub allows near real-time export of logs. C. Enable Data Access audit logs at the organization level to apply to all projects: Enabling Data Access audit logs at the organization level ensures that logs related to API calls that modify configurations to Google Cloud resources are captured.

Can someone explain how or why 'D' can be correct? The logs are Google Cloud not Workspace...

"B", "D" B because you need an aggregate sink to recursively pull from children entities otherwise scope is limited to the specific level where it's created. So this also excludes A. https://cloud.google.com/logging/docs/export/aggregated_sinks#create_an_aggregated_sink C - Data Access Audit Logs - Even though they include API events, they don't explicitly say they also include log-in events. https://cloud.google.com/logging/docs/audit#data-access D - For Workspace Audit Logs, they explicitly say that API calls and log-in events are captured which makes it a more complete option than "C". Also, cloud identity, which is used to manage users of GCP, is a workspace service. It would make sense that workspace logging providing cloud identity related sign-in logs. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging https://support.google.com/cloudidentity/answer/7319251

change to BE

BC looks lik ans