CCSE-204 CrowdStrike Certified SIEM Engineer Questions and Answers

The correct answer is C. Select “Manage Internal Logging” from the menu .

CrowdStrike LogScale Collector documentation for Fleet Management explicitly describes the steps to enable internal logging from the Fleet view. It says to go to Data Ingest > Fleet Overview , click the ellipsis next to the specific collector instance, and then click Manage Internal Logging . From there, you can enable logging and choose where to send it.

Why the other options are incorrect:

A is incorrect because reinstalling the collector is not required. B is incorrect because the question specifically asks how to do it from the Fleet view , and the documented UI action is through the menu in Fleet Management, not by manually editing the local config. D is incorrect because the documentation does not describe enabling internal logging by restarting the service with a special flag.

==========

@timestamp represents the time the event actually occurred and is the appropriate field for event-time-based detections and correlations. @ingesttimestamp reflects when the platform received the event, which may differ due to delays. @rawstring is raw event content, and @id is not a time field.

==========

CrowdStrike LogScale documentation states that groupBy() is used to group events by one or more specified fields, similar to SQL GROUP BY. The documentation also says the function parameter accepts aggregate functions, and its default is count(as=_count). That means the query that explicitly groups by ComputerName, UserName, and CommandLine and applies function=count() is the correct way to output the frequency of each unique combination of those three fields.

Why the other options are incorrect:

A is incorrect because table() formats output rows but does not aggregate unique combinations into frequencies the way groupBy() does. Adding count() after table() does not produce grouped counts for each unique triplet. B is incorrect because table() is not the aggregation function documented for grouped frequency counting; groupBy() is. D is close, but it relies on the default count behavior rather than explicitly specifying function=count(). Since the question asks which query will output the frequency of a unique set, C is the most correct and explicit choice.

The correct answer is C. parseCsv() .

CrowdStrike LogScale documentation for parseCsv() states that the function supports a configurable delimiter parameter, and it is used to split a field into named columns. Because this log is space-delimited and the values are always in the same order, parseCsv() is the appropriate parser function by specifying a space as the delimiter and naming the columns in order.

Why the other options are incorrect:

A. parseCEF() is for CEF-formatted logs, which this event is not.

B. parseJson() is for JSON, and this event is plain text.

D. parseFixedWidth() is meant for logs where each field occupies a strict character width. CrowdStrike’s docs describe it as valuable when data must maintain strict positional formatting and defined field lengths. This question only guarantees field order , not fixed character widths, so parseFixedWidth() is not the best match.

The correct answer is C . CrowdStrike documents parseJson() as the function used to parse data or a field as JSON , converting JSON objects into named fields. The JSON example in the docs matches the structure of option C.

The other options are not JSON. A is key-value style text, B is access-log style text, and D is plain text with a timestamp and message. Those would require other parsing approaches, not parseJson().

A CPS-compliant approach keeps the original Vendor field while also assigning the value to a normalized ECS field. This preserves source fidelity and enables standardized search and detections. Renaming away the original field loses source context, and storing only in @rawstring prevents structured analysis.

==========

The best answer is D. Custom role .

CrowdStrike documentation for Store app integrations states that the Falcon Administrator role is required to enable apps and plugins in the CrowdStrike Store, which is the administrative side of connector configuration. That shows connector configuration is a privileged task.

At the same time, Falcon Fusion SOAR is the workflow automation capability used to create SOAR automations in the Falcon platform. CrowdStrike describes Fusion SOAR as the workflow engine used to build and run workflows and automate actions across security processes.

Because the question specifically asks for the role that allows both actions while maintaining least privilege , the most appropriate choice is a custom role that grants only the required permissions instead of assigning a broader built-in administrative role. This is an inference from the documented permission model: connector/plugin setup requires elevated permissions, and SOAR workflow creation is a separate capability, so a narrowly scoped custom role is the least-privilege answer among the options.

Why the other options are not the best answer:

NG SIEM Analyst is intended for analyst activity, not configuration and automation administration. Falcon Security Lead is broader and not the most precise least-privilege answer. NG SIEM Security Lead may have wide SIEM access, but the question asks for the option that best maintains least privilege across both connector configuration and SOAR automation creation; that is better satisfied by a custom role . This conclusion is based on the documented need for elevated permissions for plugin configuration and the separate SOAR workflow capability.

==========

The correct answer is D. Next-Gen SIEM Connector Dashboard .

CrowdStrike describes the Falcon Next-Gen SIEM Connector Dashboard as the place to understand the status and volume of data ingestion for third-party sources. This matches the question’s requirement for a dashboard showing third-party ingestion visibility.

The other options are not aimed at third-party SIEM connector ingestion monitoring:

Sensor Usage Dashboard relates to Falcon sensor usage, not connector-based third-party ingestion.

Sensor Subscription Dashboard is about licensing/subscription counts.

Falcon Flex Dashboard is related to subscription consumption and commercial usage, not connector ingestion telemetry.

==========

The correct answer is D. @event_parsed .

CrowdStrike LogScale’s parser error documentation explicitly states that @event_parsed indicates whether the event has been successfully parsed during ingest . The same documentation says it is set to false when there was a parsing error. That exactly matches the question.

Why the other options are incorrect:

@ingesttimestamp represents the time the platform ingested the event, not whether parsing succeeded. @rawstring contains the original raw event data. @error_msg can contain error details, but it is not the primary field that directly indicates parse success or failure. The field CrowdStrike documents for parsing status is @event_parsed .

==========

The correct answer is C. Quick insights without manual setup .

CrowdStrike describes Falcon Next-Gen SIEM as providing pre-built dashboards and says teams can quickly understand security and system health with prebuilt dashboards for data collection health, SOAR workflow executions, security trends, and more. That directly supports the idea that the main benefit is getting fast visibility and insights without having to build everything manually first .

Why the other options are incorrect:

A is incorrect because dashboards are for visualization and insight, not primarily for raw log access. B is incorrect because custom queries are a separate search capability, not the main value proposition of built-in dashboards. D is incorrect because CrowdStrike emphasizes using pre-built and custom dashboards for visualization, not modifying dashboard source code as the primary benefit.

==========

The correct answer is B . CrowdStrike states that AI-generated parsers are built from sample log records . Falcon Next-Gen SIEM analyzes those samples to learn the logs’ structure and content, so providing representative examples is the documented way to help the parser interpret and categorize data correctly.

Options A and C are not supported by CrowdStrike documentation. There is no requirement for a minimum parser length, and Next-Gen SIEM parsers are not written as Python or Java programs; CrowdStrike’s parser template shows a parser schema and script structure specific to Next-Gen SIEM.

==========

The correct answer is C .

CrowdStrike’s CPS documentation explicitly lists the CPS-compliant parser tags, and the relevant four event parser tags in that list are #event.dataset , #event.kind , #event.module , and #event.outcome . That exactly matches option C.

Why the other options are incorrect:

event.category is an important event categorization field in CPS, but it is not one of the four parser tags listed in the CPS tag set that this question is asking about. The documented parser tag list includes event.dataset , event.kind , event.module , and event.outcome .

The correct answer is D. Prefix the field with Vendor .

CrowdStrike’s CPS documentation says that when an event contains fields that do not exist in ECS , their names should be prefixed with the string literal Vendor. . The same guidance also says to always keep the original Vendor. field when normalizing third-party fields to ECS . That directly matches option D.

Why the other options are incorrect:

CPS does not tell you to remove non-ECS fields or leave them unstructured without normalization. It also does not say every non-compliant field must be converted into ECS. Instead, the standard preserves those vendor-specific fields under the Vendor. namespace.

==========

Elastic’s official ECS guidelines define Core fields as the fields most common across use cases and explicitly state that analysis content built on these fields should work properly on data from any relevant source. They also say to focus on populating these fields first . CrowdStrike’s CPS builds on ECS and is intended to standardize field names and structures across different data sources for consistent searching and analysis. Together, that makes Core fields the right answer when your goal is a consistent cross-source view.

Why the other options are incorrect:

Extended fields are useful, but ECS defines them as anything not in the core set, so they are not the primary normalization target for broad consistency.

Base fields and Detection fields are not the correct ECS field-type answer to this question as framed.

In the Next-Gen SIEM Connector Dashboard (specifically within the CrowdStrike Falcon ecosystem), the maximum retention period for which you can query third-party data ingestion metrics is 90 days .

Why 90 Days?

While the actual log data (telemetry) in a Next-Gen SIEM can often be retained for a year or longer depending on the subscription (e.g., 365 days), the health and ingestion metrics —which include data such as volume throughput, connector status, and ingestion rates—are typically stored for a shorter duration. This 90-day window is designed to provide enough historical context for:

Troubleshooting: Identifying when a specific connector started failing.

Trend Analysis: Monitoring changes in data volume over a fiscal quarter.

Capacity Planning: Reviewing average ingestion rates to ensure they stay within licensed limits.