GCP Professional Cloud Security Engineer Practice Question

Your security team stores all audit logs in a central BigQuery dataset for threat hunting. An organization-level aggregated log sink has already been created with includeChildren=true and a filter of logName:"/cloudaudit.googleapis.com". Several project-level teams are starting to create their own project sinks to export logs to Pub/Sub for near-real-time alerting. The governance group wants to avoid duplicate BigQuery ingestion charges yet still guarantee that every audit log entry for every project, including any that are not routed by a project sink, reaches the central dataset. Which configuration should you implement on the organization-level sink to meet these requirements?

Convert the sink to intercepting mode so it always copies logs before project sinks can export them.
Restrict the sink's filter to severity>=ERROR to reduce duplicates without changing interception behavior.
Keep includeChildren=true but set the sink as non-intercepting so it only exports entries not already captured by project sinks.
Disable includeChildren on the sink and ask every project to add the central BigQuery dataset as an additional destination.

Report Issue

Answer Description

An intercepting aggregated sink exports a copy of matching log entries before any child-level sinks process them. If duplicate exports are undesirable, you turn off interception so that the org-level sink only receives entries that are left un-exported by lower-level sinks. Setting the org-level aggregated sink to non-intercepting (includeChildren=true, IS_LOG_INTERCEPTION=false) prevents BigQuery duplicates, while still guaranteeing coverage for any logs a project sink misses. Making the sink intercepting would re-introduce duplication, and disabling includeChildren or changing the filter would break the central coverage objective.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.