Pre-Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CrowdStrike CCSE-204 CrowdStrike Certified SIEM Engineer Exam Practice Test

Demo: 18 questions
Total 62 questions

CrowdStrike Certified SIEM Engineer Questions and Answers

Question 1

You are a Next-Gen SIEM Engineer responsible for parser creation. An internal requirement is to maintain both the Vendor and ECS field names within the Fields panel in Advanced Event Search.

What is the correct method for adding the ECS field while maintaining the Vendor field in a parser?

Options:

A.

Field Function

B.

Regular Expression Field Extraction

C.

Assignment Operator

D.

As Parameter

Question 2

You want a Next-Gen SIEM dashboard to update automatically when new data is available.

Which action would you take?

Options:

A.

Toggle the "Live" button to on

B.

Change the "Fixed Time Range" to the current date

C.

Change the "Relative Time Range" interval to 1 millisecond ago

D.

Change the "Start Time" interval to 1 hour

Question 3

What is the maximum number of active correlation rules in a CID?

Options:

A.

1000

B.

250

C.

750

D.

500

Question 4

What is the purpose of labels in Fleet Management?

Options:

A.

Set passwords for collector instances

B.

Categorize collectors for group configurations

C.

Monitor network traffic

D.

Assign IP addresses to collectors

Question 5

When setting up a data connector, which parser can be used to transform incoming data into searchable events that trigger detections in Next-Gen SIEM?

Options:

A.

CrowdStrike Parsing Standard (CPS) compliant parser

B.

Charlotte AI-generated parser

C.

VMWare ESXI parser

D.

Linux syslog parser

Question 6

When deploying the Falcon Log Collector using the commands in the CrowdStrike Fleet Management interface, what is the correct service name?

Options:

A.

flc-api

B.

humio-collector

C.

logscale-collector

D.

flc-collector

Question 7

You need to ingest data from a custom internal application hosted on-prem. The application writes logs to a file on a syslog server.

Which data connector would you use?

Options:

A.

Google Cloud Pub / Sub Data Connector

B.

HTTP Event Connector

C.

Amazon S3 Data Connector

D.

Azure Virtual Machines Data Connector

Question 8

An internal security team identified a small number of high-risk users. They ask you to create an app that will monitor these users and trigger an alert when specific suspicious behavior is detected.

Which Falcon feature should you use to develop this app?

Options:

A.

Falcon QueryBuilder

B.

Falcon Spotlight

C.

Falcon Foundry

D.

Charlotte AI

Question 9

Which two tags are compliant with the CrowdStrike Parsing Standard (CPS)?

Options:

A.

#event.type and #event.kind

B.

#vendor.name and #event.type

C.

#observer.type and #event.kind

D.

#observer.type and #vendor.name

Question 10

You notice a larger than expected ingest delay from one of your high-volume streaming log collectors.

Which setting should you increase on the log collector to improve performance?

Options:

A.

Amount of available disk space

B.

Available source throughput

C.

Number of concurrent requests a sink is using

D.

Default memory queue size

Question 11

Which default parser would you use to parse the log event below?

Jan 15 14:22:07 host1 sshd[1234]: Failed login

Options:

A.

Key-value

B.

JSON

C.

Regex

D.

Syslog

Question 12

Which default role will maintain least privilege and allow for creation and management of parsers?

Options:

A.

NG SIEM Analyst

B.

NG SIEM Security Lead

C.

NG SIEM Administrator

D.

NG SIEM Analyst – Read Only

Question 13

Review the log event below:

{"ts": "2018/11/01 14:31:10", "server": "web01", "message": "Out of memory"}

Which parsing function is correct to add a missing timezone field?

Options:

A.

parseJson() | parseTimestamp("dd/MMM/yyyy:HH:mm:ss Z", timezone="Europe/Paris", field=ts)

B.

kvParse() | findTimestamp(field=ts, timezone="Europe/London")

C.

kvParse() | findTimestamp(timezone="America/New_York")

D.

parseJson() | parseTimestamp("yyyy/MM/dd HH:mm:ss", timezone="Europe/Paris", field=ts)

Question 14

Which function is most appropriate for extracting fields from logs formatted as key=value pairs?

Options:

A.

parseJson()

B.

kvParse()

C.

parseCsv()

D.

parseXml()

Question 15

You are performing a search query using data from the Falcon Sensor and third-party data connectors.

Which Advanced Event Search data source should you choose?

Options:

A.

All

B.

Falcon

C.

Third-party

D.

Custom

Question 16

You are reviewing a lookup file to determine whether an event was successfully parsed during ingestion.

Which metadata field indicates the event’s parsing status?

Options:

A.

@ingesttimestamp

B.

@rawstring

C.

@error_msg

D.

@event_parsed

Question 17

An event has the following fields:

Which CQL query will output the frequency of a unique set of ComputerName, UserName, CommandLine?

Options:

A.

#event_simpleName = ProcessRollup2 FileName = ssh.exe CommandLine = /\s-R\s.+\s-p/ | table([ComputerName, UserName, CommandLine]) | count()

B.

#event_simpleName = ProcessRollup2

| FileName = ssh.exe

| CommandLine = /\s-R\s.+\s-p/

| table([ComputerName, UserName, CommandLine], function=count())

C.

#event_simpleName = ProcessRollup2

| FileName = ssh.exe

| CommandLine = /\s-R\s.+\s-p/

| groupBy([ComputerName, UserName, CommandLine], function=count())

D.

#event_simpleName = ProcessRollup2 FileName = ssh.exe CommandLine = /\s-R\s.+\s-p/ | groupBy([ComputerName, UserName, CommandLine])

Question 18

Which command helps visualize in real time whether sources and sinks are working properly in the Log Collector?

Options:

A.

journalctl -u logscale-collector

B.

logscale-collector monitor

C.

logscale-collector check

D.

logscale-collector --status

Demo: 18 questions
Total 62 questions