CCSE-204 CrowdStrike Certified SIEM Engineer Questions and Answers

The correct answer is B. sudo logscale-collector enroll < TOKEN > .

Current CrowdStrike LogScale Collector documentation shows the enrollment command using the logscale-collector binary. For example, the macOS custom installation page explicitly shows:

sudo logscale-collector enroll enrolltoken

The Fleet Management enrollment documentation also explains that you copy the enrollment command from the UI and run it on the machine hosting the collector.

Why the other options are incorrect:

A is a Windows path, not Linux. C reflects the older humio-log-collector naming that existed in earlier versions and release history, but the current docs use logscale-collector for the enrollment command. D does not match the documented command syntax. CrowdStrike’s current documentation centers the enrollment workflow on logscale-collector enroll < token > .

==========

The sample log is a comma-delimited record with values separated by commas, and some fields are enclosed in quotes. That structure matches CSV-style parsing . In CrowdStrike LogScale, parseCsv() is used for delimited logs where fields appear in a consistent order and are separated by a defined delimiter. This fits the sample shown.

Why the other options are incorrect:

A. XML is incorrect because the log does not use XML tags.

C. JSON is incorrect because the log is not in brace-based key/value JSON format.

D. Key-Value is incorrect because the fields are not expressed as key=value pairs; they are positional comma-separated values instead.

The correct answer is C. NGSIEM with both read and write permissions .

CrowdStrike integration guidance for querying Next-Gen SIEM event data states that the API client needs the NGSIEM scope with both Read and Write permissions . The documentation explains why: Write is required to create the search/query job, and Read is required to retrieve the query results.

Why the other options are incorrect:

A is incorrect because the documented requirement is Read + Write ; there is no documented “execute” permission in the cited guidance. B is incorrect because read-only access would let you read results but not create the query job. D is incorrect because write-only access would let you submit the job but not read the results back.

==========

The correct answer is D. @event_parsed .

CrowdStrike LogScale’s parser error documentation explicitly states that @event_parsed indicates whether the event has been successfully parsed during ingest . The same documentation says it is set to false when there was a parsing error. That exactly matches the question.

Why the other options are incorrect:

@ingesttimestamp represents the time the platform ingested the event, not whether parsing succeeded. @rawstring contains the original raw event data. @error_msg can contain error details, but it is not the primary field that directly indicates parse success or failure. The field CrowdStrike documents for parsing status is @event_parsed .

==========

The correct answer is C. Number of concurrent requests a sink is using .

CrowdStrike’s Falcon LogScale Collector sizing guidance states that in high throughput scenarios where the ingestion endpoint becomes a bottleneck, it can be beneficial to increase the number of concurrent requests a sink is using through the workers setting. The docs explicitly say this helps when the number of parallel requests is limiting throughput.

The same document also explains why D is wrong: increasing the memory queue size does not increase sink throughput. The queue exists to keep data available for the sink; if throughput is lower than the incoming data rate, the queue will eventually fill up anyway.

So:

C is correct because more sink workers can improve performance in high-volume conditions.

D is incorrect because queue size does not fix the throughput bottleneck.

A and B are not the documented tuning setting for this issue in the collector guidance.

==========

The least-privilege role for users who only need to view dashboards, searches, and investigation data without making changes is NG SIEM Analyst – Read Only . This role is designed for visibility without content modification or administrative access. The other roles provide broader operational or management permissions.

==========

kvParse() is designed for logs that use key=value structure. It extracts the keys and values into searchable fields. parseJson() is for JSON objects, parseCsv() is for delimited positional records, and parseXml() is for XML-formatted content.

==========

@timestamp represents the time the event actually occurred and is the appropriate field for event-time-based detections and correlations. @ingesttimestamp reflects when the platform received the event, which may differ due to delays. @rawstring is raw event content, and @id is not a time field.

==========

The best-supported answer is D. .YAML .

CrowdStrike’s recent Falcon Fusion SOAR technical content shows workflow structures represented in YAML . In particular, CrowdStrike’s workflow-based pagination example for Falcon Fusion SOAR says, “The following YAML shows the workflow structure,” and then provides the workflow definition in YAML form. That indicates YAML is the workflow definition format used in documented examples for reusable/pre-built workflow structures.

Why the other options are incorrect:

A (.CPP) and C (.PY) are programming language source files, not workflow import formats for Fusion SOAR. B (.JSON) is heavily used elsewhere in the platform for schemas, API payloads, and structured data, but the CrowdStrike materials I found that specifically show workflow structure present it in YAML , not JSON. Based on that documented workflow representation, .YAML is the correct answer here.

CrowdStrike’s Fleet Management documentation for Falcon LogScale Collector explains that labels are used to associate metadata with a Fleet Management configuration and with collector instances so they can be tagged, identified, organized, and filtered. The docs specifically describe labels as helping organize collectors by criteria such as environment, region, service, or other custom values. That directly matches option B: Categorize collectors for group configurations .

Why the other options are incorrect:

Option A is incorrect because labels are not used for authentication or password management.

Option C is incorrect because labels do not perform traffic monitoring; they are metadata for organization and selection.

Option D is incorrect because labels do not assign network settings such as IP addresses.

The correct answer is D .

CrowdStrike’s Falcon Next-Gen SIEM materials distinguish between CrowdStrike detections and third-party detections , and also state that Falcon Next-Gen SIEM extends data collection to third-party data sources . That means first-party detections are native to the Falcon platform, while third-party detections originate from data sources outside the platform that have been onboarded into Next-Gen SIEM.

Why the other options are incorrect:

A is wrong because third-party detections are not defined as detections created by the customer’s team.

B is wrong because the distinction is not based on visibility permissions.

C is wrong because CrowdStrike does not define first-party detections as inherently higher severity than third-party detections.

==========

The correct answer is C . In CQL, boolean conditions such as AND belong inside filter expressions, while pipeline functions like groupBy() and select() must be separated with the pipe (|) operator. CrowdStrike syntax guidance shows that functions are chained through the pipeline and should not be combined with AND. Option C correctly uses AND for the filter logic and uses pipes to separate the aggregation and projection steps.

==========

The correct answer is D . CrowdStrike LogScale’s timestamp parsing documentation gives this exact pattern as the example for a JSON event whose ts field contains 2018/11/01 14:31:10 with no timezone present. The documented solution is:

parseJson() | parseTimestamp("yyyy/MM/dd HH:mm:ss", timezone="Europe/Paris", field=ts)

This works because the event is JSON, so parseJson() is the right first step, and the timestamp format matches the sample exactly. Since the timestamp string does not include timezone information, CrowdStrike documentation says you must provide a timezone parameter to parseTimestamp().

Why the other options are incorrect:

A is wrong because the format string does not match the timestamp. The event uses 2018/11/01 14:31:10, which is yyyy/MM/dd HH:mm:ss, not dd/MMM/yyyy:HH:mm:ss Z. Also, the sample timestamp does not include a Z timezone token in the raw string. B and C are wrong because kvParse() is for key-value logs, not JSON logs, and this event is clearly JSON. CrowdStrike’s built-in parser documentation distinguishes JSON parsing from KV parsing, and the timestamp example for missing timezone specifically uses parseJson() with parseTimestamp().

==========

The correct answer is B . CrowdStrike LogScale documentation includes parseCEF() , parseJson() , and parseXml() as valid parsing functions. parseCEF() parses CEF-encoded messages, parseJson() parses JSON data into fields, and parseXml() parses XML content into fields.

The other options are incorrect because parseIETF() is not a valid CQL parse function in the documented parsing function set, and option D also contains malformed syntax with parseXml(.

The correct answer is C .

CrowdStrike’s CPS documentation explicitly lists the CPS-compliant parser tags, and the relevant four event parser tags in that list are #event.dataset , #event.kind , #event.module , and #event.outcome . That exactly matches option C.

Why the other options are incorrect:

event.category is an important event categorization field in CPS, but it is not one of the four parser tags listed in the CPS tag set that this question is asking about. The documented parser tag list includes event.dataset , event.kind , event.module , and event.outcome .