CCSE-204 CrowdStrike Certified SIEM Engineer Question and Answers

The correct answer is A. @timestamp .

CrowdStrike LogScale documentation explains that @timestamp is the event timestamp, meaning when the event actually happened, while @ingesttimestamp is when the event arrived in LogScale. If you want the rule to fire based on when the event occurred, regardless of ingestion delay, you should use @timestamp .

Why the other options are incorrect:

D. @ingesttimestamp is specifically the ingest time, not the original event time.

B and C are not the standard event-time fields documented for this use. CrowdStrike’s event field documentation centers this distinction on @timestamp versus @ingesttimestamp.

==========

The correct answer is A. Use a multi-source configuration with different parsers per source .

CrowdStrike’s Falcon LogScale Collector documentation states that parsers can be set for each source . The collector configuration model also explains that the Sources section defines the source of the data, filters to be applied, and parsers . That means when different log formats are being collected, the correct design is to separate them by source and assign the appropriate parser to each source.

Why the other options are incorrect:

Switching to fleet mode or monitoring logs does not itself correct parsing logic. Restarting in debug mode may help troubleshoot, but it does not solve the format mismatch. Disabling parsing would make the data less useful, not more useful. The documented way to handle parser differences is to apply parsers at the source level.

==========

The correct answer is D. Prefix the field with Vendor .

CrowdStrike’s CPS documentation says that when an event contains fields that do not exist in ECS , their names should be prefixed with the string literal Vendor. . The same guidance also says to always keep the original Vendor. field when normalizing third-party fields to ECS . That directly matches option D.

Why the other options are incorrect:

CPS does not tell you to remove non-ECS fields or leave them unstructured without normalization. It also does not say every non-compliant field must be converted into ECS. Instead, the standard preserves those vendor-specific fields under the Vendor. namespace.

==========

The best-supported answer is D. .YAML .

CrowdStrike’s recent Falcon Fusion SOAR technical content shows workflow structures represented in YAML . In particular, CrowdStrike’s workflow-based pagination example for Falcon Fusion SOAR says, “The following YAML shows the workflow structure,” and then provides the workflow definition in YAML form. That indicates YAML is the workflow definition format used in documented examples for reusable/pre-built workflow structures.

Why the other options are incorrect:

A (.CPP) and C (.PY) are programming language source files, not workflow import formats for Fusion SOAR. B (.JSON) is heavily used elsewhere in the platform for schemas, API payloads, and structured data, but the CrowdStrike materials I found that specifically show workflow structure present it in YAML , not JSON. Based on that documented workflow representation, .YAML is the correct answer here.

The correct answer is D. Next-Gen SIEM Connector Dashboard .

CrowdStrike describes the Falcon Next-Gen SIEM Connector Dashboard as the place to understand the status and volume of data ingestion for third-party sources. This matches the question’s requirement for a dashboard showing third-party ingestion visibility.

The other options are not aimed at third-party SIEM connector ingestion monitoring:

Sensor Usage Dashboard relates to Falcon sensor usage, not connector-based third-party ingestion.

Sensor Subscription Dashboard is about licensing/subscription counts.

Falcon Flex Dashboard is related to subscription consumption and commercial usage, not connector ingestion telemetry.

==========

Elastic’s official ECS guidelines define Core fields as the fields most common across use cases and explicitly state that analysis content built on these fields should work properly on data from any relevant source. They also say to focus on populating these fields first . CrowdStrike’s CPS builds on ECS and is intended to standardize field names and structures across different data sources for consistent searching and analysis. Together, that makes Core fields the right answer when your goal is a consistent cross-source view.

Why the other options are incorrect:

Extended fields are useful, but ECS defines them as anything not in the core set, so they are not the primary normalization target for broad consistency.

Base fields and Detection fields are not the correct ECS field-type answer to this question as framed.

The correct answer is C . Default system alerting for third-party connectors in Next-Gen SIEM focuses on connector health and ingestion-governance conditions. The three enabled-by-default alerts are: connector disconnected , daily data ingestion limit exceeded , and monthly data ingestion limit exceeded . These three alert conditions monitor both connectivity and consumption thresholds for third-party data connectors. Options containing “Resolve alerts within 30 days” are incorrect because that is not an alert condition.

==========

The correct answer is A. 9 GB .

CrowdStrike’s Falcon LogScale Collector sizing documentation states that memory requirement for memory queues is linearly proportional to the number of sinks plus a constant baseline requirement of 1 GB . The documentation gives a worked example: 1 GB baseline + queue sizes for each sink .

For this question:

Number of sinks = 4

Queue size per sink = 2 GB

Total sink memory = 4 × 2 GB = 8 GB

Add baseline memory = 1 GB

So the minimum memory requirement is:

8 GB + 1 GB = 9 GB .

That is why:

A. 9 GB is correct

B. 12 GB , C. 10 GB , and D. 8 GB are incorrect because they do not match CrowdStrike’s documented sizing formula for memory queues.

The Falcon SIEM Connector requires an API client with Read access to Event Streams . This permission allows the connector to authenticate to Falcon and receive streaming event data. Other permissions such as Hosts, Incidents, or Detection Management are not the required permission for establishing Falcon event-stream ingestion.

==========

The least-privilege role for users who only need to view dashboards, searches, and investigation data without making changes is NG SIEM Analyst – Read Only . This role is designed for visibility without content modification or administrative access. The other roles provide broader operational or management permissions.

==========

The correct answer is A . CrowdStrike LogScale documentation says the Live checkbox controls whether dashboard widget queries run as live or static queries. When enabled, the dashboard continuously updates with real-time data , which is exactly what the question asks for.

==========

The groupBy() function is used to aggregate events by one or more fields, such as hostname, and return counts or other aggregate calculations. table() displays selected fields but does not perform grouped aggregation. parseJson() and kvParse() are parsing functions, not aggregation functions.

==========

The correct answer is C. NGSIEM with both read and write permissions .

CrowdStrike integration guidance for querying Next-Gen SIEM event data states that the API client needs the NGSIEM scope with both Read and Write permissions . The documentation explains why: Write is required to create the search/query job, and Read is required to retrieve the query results.

Why the other options are incorrect:

A is incorrect because the documented requirement is Read + Write ; there is no documented “execute” permission in the cited guidance. B is incorrect because read-only access would let you read results but not create the query job. D is incorrect because write-only access would let you submit the job but not read the results back.

==========

The correct answer is C. #observer.type and #event.kind .

CrowdStrike’s CPS migration documentation lists the CPS-compliant parser tags, including #event.dataset , #event.kind , #event.module , and #observer.type . Since both #observer.type and #event.kind are explicitly listed, option C is the correct pair.

Why the other options are incorrect:

The documentation lists #Vendor as a tag, not #vendor.name , and it does not list #event.type among the CPS parser tags in the tag list. That makes options A, B, and D incorrect.

The correct answer is D. Syslog . The sample log follows classic syslog structure: a syslog-style timestamp, hostname, process name with PID, and message body. CrowdStrike’s LogScale Collector documentation includes Syslog as a source/parser context for logs of this format, making Syslog the appropriate default parser choice here.

==========