CrowdStrike CCSE-204 CrowdStrike Certified SIEM Engineer Exam Practice Test

The correct answer is C. Assignment Operator .

In Falcon LogScale parser and query syntax, the assignment operator := is used to assign a value to a new field. CrowdStrike’s LogScale documentation explains that := is shorthand for eval, and that it can also be used as shorthand with functions that support an as parameter to assign results to a named output field. This is the right approach when you want to create an ECS field while preserving the existing Vendor field , because you are creating an additional field rather than replacing the original one.

Why the other options are not the best answer:

Regular Expression Field Extraction is used to extract values from raw text when the value is not already parsed, so it is not the normal choice when you already have a Vendor field and simply want to map it to an ECS field as well. As Parameter can name the output field of certain functions, but the CrowdStrike documentation for rename() shows that renaming changes the field name, which does not meet the requirement to keep both field names visible. The rename() examples explicitly state that the original field names are replaced with the new field names.

So for a parser requirement that says “add ECS while maintaining Vendor,” the operationally correct method is to assign the Vendor value into a new ECS field , not rename the Vendor field away.

==========

The correct answer is A . CrowdStrike LogScale documentation says the Live checkbox controls whether dashboard widget queries run as live or static queries. When enabled, the dashboard continuously updates with real-time data , which is exactly what the question asks for.

==========

The correct answer is D. 500 . In CrowdStrike Next-Gen SIEM correlation content limits, the maximum number of active correlation rules allowed in a single CID is 500 . This represents the upper bound for enabled rule objects at the customer-ID level and is intended to balance detection scale with performance and manageability of rule-driven detections. This is why the other options are incorrect and 500 is the correct limit.

==========

CrowdStrike’s Fleet Management documentation for Falcon LogScale Collector explains that labels are used to associate metadata with a Fleet Management configuration and with collector instances so they can be tagged, identified, organized, and filtered. The docs specifically describe labels as helping organize collectors by criteria such as environment, region, service, or other custom values. That directly matches option B: Categorize collectors for group configurations .

Why the other options are incorrect:

Option A is incorrect because labels are not used for authentication or password management.

Option C is incorrect because labels do not perform traffic monitoring; they are metadata for organization and selection.

Option D is incorrect because labels do not assign network settings such as IP addresses.

The correct answer is A. CrowdStrike Parsing Standard (CPS) compliant parser .

CrowdStrike’s parsing documentation says CPS is used to normalize and validate data so field names and structures are standardized across data sources for more consistent searching and analysis . CPS-compliant parsers also require specific tags and field population rules, which is exactly what makes incoming data searchable and detection-ready in Falcon Next-Gen SIEM.

The other options are not the general standard CrowdStrike uses for detection-ready normalization:

Charlotte AI-generated parser is not the documented parser standard.

VMWare ESXI parser and Linux syslog parser may describe source-specific parsers, but the question asks for the parser type used generally to transform incoming data into normalized, searchable events. That is CPS.

==========

The correct answer is C. logscale-collector .

CrowdStrike’s Falcon LogScale Collector installation documentation states that the service name varies by installation method. It explicitly says that for Full Installation the service is called logscale-collector , while Custom Installation uses humio-log-collector . Since the question specifically refers to deployment using the Fleet Management interface commands , that aligns with the Full Installation workflow, so the correct service name is logscale-collector .

==========

The correct answer is B. HTTP Event Connector .

CrowdStrike describes the HTTP Event Connector (HEC) as the generic mechanism used to bring third-party data into Falcon Next-Gen SIEM when you need to onboard logs from sources that are not tied to a specific cloud-native connector. CrowdStrike’s own Next-Gen SIEM materials highlight pre-built connectors and HTTP Event Collectors as the way to extend visibility to many different third-party sources.

Because this question describes a custom internal application hosted on-prem , the cloud-specific connectors in options A , C , and D do not fit. The broad, flexible connector option intended for custom or non-native sources is the HTTP Event Connector . Also, CrowdStrike’s vCenter example shows an architecture where logs are first centralized and then onboarded to Falcon Next-Gen SIEM through an HTTP Event Connector , which aligns with this kind of custom-source pattern.

The correct answer is C. Falcon Foundry .

CrowdStrike describes Falcon Foundry as its application development platform for building custom apps on the Falcon platform. CrowdStrike’s materials state that Falcon Foundry allows customers to quickly create their own apps, and the Foundry documentation/blog content shows it supports application logic and storage needed for custom workflows and monitoring use cases. That is exactly what fits a requirement to build an app that monitors a defined set of high-risk users and triggers alerts on suspicious activity.

Why the other options are incorrect:

Falcon QueryBuilder is for constructing queries, not building an application. Falcon Spotlight is CrowdStrike’s vulnerability management capability, not an app-development framework. Charlotte AI is an AI assistant capability, not the platform feature used to develop custom monitoring apps. The only option that matches “develop this app” is Falcon Foundry .

The correct answer is C. #observer.type and #event.kind .

CrowdStrike’s CPS migration documentation lists the CPS-compliant parser tags, including #event.dataset , #event.kind , #event.module , and #observer.type . Since both #observer.type and #event.kind are explicitly listed, option C is the correct pair.

Why the other options are incorrect:

The documentation lists #Vendor as a tag, not #vendor.name , and it does not list #event.type among the CPS parser tags in the tag list. That makes options A, B, and D incorrect.

The correct answer is C. Number of concurrent requests a sink is using .

CrowdStrike’s Falcon LogScale Collector sizing guidance states that in high throughput scenarios where the ingestion endpoint becomes a bottleneck, it can be beneficial to increase the number of concurrent requests a sink is using through the workers setting. The docs explicitly say this helps when the number of parallel requests is limiting throughput.

The same document also explains why D is wrong: increasing the memory queue size does not increase sink throughput. The queue exists to keep data available for the sink; if throughput is lower than the incoming data rate, the queue will eventually fill up anyway.

So:

C is correct because more sink workers can improve performance in high-volume conditions.

D is incorrect because queue size does not fix the throughput bottleneck.

A and B are not the documented tuning setting for this issue in the collector guidance.

==========

The correct answer is D. Syslog . The sample log follows classic syslog structure: a syslog-style timestamp, hostname, process name with PID, and message body. CrowdStrike’s LogScale Collector documentation includes Syslog as a source/parser context for logs of this format, making Syslog the appropriate default parser choice here.

==========

The correct answer is B. NG SIEM Security Lead . Parser creation and management requires elevated SIEM content and configuration capabilities that go beyond standard analyst activity, but it does not require the full breadth of platform-wide administrative control. NG SIEM Security Lead is the default role that best fits parser management while still maintaining least privilege compared with NG SIEM Administrator . NG SIEM Analyst and NG SIEM Analyst – Read Only do not provide the content-management level access needed for parser administration. CrowdStrike’s SIEM role separation supports using the Security Lead role for advanced SIEM content configuration tasks.

==========

The correct answer is D . CrowdStrike LogScale’s timestamp parsing documentation gives this exact pattern as the example for a JSON event whose ts field contains 2018/11/01 14:31:10 with no timezone present. The documented solution is:

parseJson() | parseTimestamp("yyyy/MM/dd HH:mm:ss", timezone="Europe/Paris", field=ts)

This works because the event is JSON, so parseJson() is the right first step, and the timestamp format matches the sample exactly. Since the timestamp string does not include timezone information, CrowdStrike documentation says you must provide a timezone parameter to parseTimestamp().

Why the other options are incorrect:

A is wrong because the format string does not match the timestamp. The event uses 2018/11/01 14:31:10, which is yyyy/MM/dd HH:mm:ss, not dd/MMM/yyyy:HH:mm:ss Z. Also, the sample timestamp does not include a Z timezone token in the raw string. B and C are wrong because kvParse() is for key-value logs, not JSON logs, and this event is clearly JSON. CrowdStrike’s built-in parser documentation distinguishes JSON parsing from KV parsing, and the timestamp example for missing timezone specifically uses parseJson() with parseTimestamp().

==========

kvParse() is designed for logs that use key=value structure. It extracts the keys and values into searchable fields. parseJson() is for JSON objects, parseCsv() is for delimited positional records, and parseXml() is for XML-formatted content.

==========

The correct answer is A. All . Falcon Next-Gen SIEM is designed to unify first-party Falcon telemetry with third-party ingested data in a single investigation and search experience. When the query needs to include both Falcon Sensor data and third-party connector data, the correct data source selection is the one that includes both categories together, which is All . CrowdStrike describes Next-Gen SIEM as correlating native Falcon data with third-party sources to provide a unified security view.

The correct answer is D. @event_parsed .

CrowdStrike LogScale’s parser error documentation explicitly states that @event_parsed indicates whether the event has been successfully parsed during ingest . The same documentation says it is set to false when there was a parsing error. That exactly matches the question.

Why the other options are incorrect:

@ingesttimestamp represents the time the platform ingested the event, not whether parsing succeeded. @rawstring contains the original raw event data. @error_msg can contain error details, but it is not the primary field that directly indicates parse success or failure. The field CrowdStrike documents for parsing status is @event_parsed .

==========

CrowdStrike LogScale documentation states that groupBy() is used to group events by one or more specified fields, similar to SQL GROUP BY. The documentation also says the function parameter accepts aggregate functions, and its default is count(as=_count). That means the query that explicitly groups by ComputerName, UserName, and CommandLine and applies function=count() is the correct way to output the frequency of each unique combination of those three fields.

Why the other options are incorrect:

A is incorrect because table() formats output rows but does not aggregate unique combinations into frequencies the way groupBy() does. Adding count() after table() does not produce grouped counts for each unique triplet. B is incorrect because table() is not the aggregation function documented for grouped frequency counting; groupBy() is. D is close, but it relies on the default count behavior rather than explicitly specifying function=count(). Since the question asks which query will output the frequency of a unique set, C is the most correct and explicit choice.

The correct answer is B .

CrowdStrike’s Falcon LogScale Collector debug documentation says the monitor command launches a monitor terminal application and can be used to see a live view of the running state of the collector. It explicitly states that the running sources, queues and sinks can be inspected in real time . That exactly matches the question.

Why the other options are incorrect:

A can help review service logs, but it is not the documented real-time visualization command for sources and sinks.

C and D do not match the documented command for this purpose in the collector troubleshooting documentation.

==========