CCSE-204 Sample Questions Answers

In Fleet Management enrollment, localConfig keeps the collector’s source configuration stored and managed locally on the host. By contrast, full mode stores and manages the configuration centrally in Next-Gen SIEM / Fleet Management. This distinction is important when choosing between centralized and host-local administration.

==========

The correct answer is D .

CrowdStrike’s Falcon Next-Gen SIEM materials distinguish between CrowdStrike detections and third-party detections , and also state that Falcon Next-Gen SIEM extends data collection to third-party data sources . That means first-party detections are native to the Falcon platform, while third-party detections originate from data sources outside the platform that have been onboarded into Next-Gen SIEM.

Why the other options are incorrect:

A is wrong because third-party detections are not defined as detections created by the customer’s team.

B is wrong because the distinction is not based on visibility permissions.

C is wrong because CrowdStrike does not define first-party detections as inherently higher severity than third-party detections.

==========

The correct answer is D . CrowdStrike LogScale’s timestamp parsing documentation gives this exact pattern as the example for a JSON event whose ts field contains 2018/11/01 14:31:10 with no timezone present. The documented solution is:

parseJson() | parseTimestamp("yyyy/MM/dd HH:mm:ss", timezone="Europe/Paris", field=ts)

This works because the event is JSON, so parseJson() is the right first step, and the timestamp format matches the sample exactly. Since the timestamp string does not include timezone information, CrowdStrike documentation says you must provide a timezone parameter to parseTimestamp().

Why the other options are incorrect:

A is wrong because the format string does not match the timestamp. The event uses 2018/11/01 14:31:10, which is yyyy/MM/dd HH:mm:ss, not dd/MMM/yyyy:HH:mm:ss Z. Also, the sample timestamp does not include a Z timezone token in the raw string. B and C are wrong because kvParse() is for key-value logs, not JSON logs, and this event is clearly JSON. CrowdStrike’s built-in parser documentation distinguishes JSON parsing from KV parsing, and the timestamp example for missing timezone specifically uses parseJson() with parseTimestamp().

==========

The correct answer is D. 500 . In CrowdStrike Next-Gen SIEM correlation content limits, the maximum number of active correlation rules allowed in a single CID is 500 . This represents the upper bound for enabled rule objects at the customer-ID level and is intended to balance detection scale with performance and manageability of rule-driven detections. This is why the other options are incorrect and 500 is the correct limit.

==========

The correct answer is D. Prefix the field with Vendor .

CrowdStrike’s CPS documentation says that when an event contains fields that do not exist in ECS , their names should be prefixed with the string literal Vendor. . The same guidance also says to always keep the original Vendor. field when normalizing third-party fields to ECS . That directly matches option D.

Why the other options are incorrect:

CPS does not tell you to remove non-ECS fields or leave them unstructured without normalization. It also does not say every non-compliant field must be converted into ECS. Instead, the standard preserves those vendor-specific fields under the Vendor. namespace.

==========

The correct answer is A. The parser was incorrect .

CrowdStrike LogScale documentation explains that when data is ingested without an appropriate parser , the event still arrives in LogScale, but it is not automatically parsed into fields . In that case, the event remains as raw text in @rawstring, while the expected extracted fields stay empty. That matches the exact symptom described in the question.

Why the other options are incorrect:

B is incorrect because if the ingestion token were invalid, the data generally would not be ingested successfully in the first place. C is incorrect because an overloaded sink may delay or buffer delivery, but it does not explain why only @rawstring is populated while structured fields are missing. D is incorrect because a timestamp parsing problem may cause time-related errors, but it would not by itself explain why the entire firewall event remains unparsed as raw text. CrowdStrike’s parser error docs show that parse failures are tracked separately and that @rawstring is what you inspect when events fail to parse correctly.

==========

Elastic’s official ECS guidelines define Core fields as the fields most common across use cases and explicitly state that analysis content built on these fields should work properly on data from any relevant source. They also say to focus on populating these fields first . CrowdStrike’s CPS builds on ECS and is intended to standardize field names and structures across different data sources for consistent searching and analysis. Together, that makes Core fields the right answer when your goal is a consistent cross-source view.

Why the other options are incorrect:

Extended fields are useful, but ECS defines them as anything not in the core set, so they are not the primary normalization target for broad consistency.

Base fields and Detection fields are not the correct ECS field-type answer to this question as framed.

The correct answer is A. Use a multi-source configuration with different parsers per source .

CrowdStrike’s Falcon LogScale Collector documentation states that parsers can be set for each source . The collector configuration model also explains that the Sources section defines the source of the data, filters to be applied, and parsers . That means when different log formats are being collected, the correct design is to separate them by source and assign the appropriate parser to each source.

Why the other options are incorrect:

Switching to fleet mode or monitoring logs does not itself correct parsing logic. Restarting in debug mode may help troubleshoot, but it does not solve the format mismatch. Disabling parsing would make the data less useful, not more useful. The documented way to handle parser differences is to apply parsers at the source level.

==========

The correct answer is C . CrowdStrike documents parseJson() as the function used to parse data or a field as JSON , converting JSON objects into named fields. The JSON example in the docs matches the structure of option C.

The other options are not JSON. A is key-value style text, B is access-log style text, and D is plain text with a timestamp and message. Those would require other parsing approaches, not parseJson().

The correct answer is C. Styling options .

CrowdStrike LogScale dashboard training documentation says the Styling panel is where you modify widget properties and, for widgets like a Time Chart, change how the graph is displayed . That aligns with changing the widget’s visualization. By contrast, Interactions is for widget interaction behavior, and Edit in Search view is for editing the underlying search rather than changing the visualization style.

The correct answer is C. Falcon Foundry .

CrowdStrike describes Falcon Foundry as its application development platform for building custom apps on the Falcon platform. CrowdStrike’s materials state that Falcon Foundry allows customers to quickly create their own apps, and the Foundry documentation/blog content shows it supports application logic and storage needed for custom workflows and monitoring use cases. That is exactly what fits a requirement to build an app that monitors a defined set of high-risk users and triggers alerts on suspicious activity.

Why the other options are incorrect:

Falcon QueryBuilder is for constructing queries, not building an application. Falcon Spotlight is CrowdStrike’s vulnerability management capability, not an app-development framework. Charlotte AI is an AI assistant capability, not the platform feature used to develop custom monitoring apps. The only option that matches “develop this app” is Falcon Foundry .

The correct answer is B . CrowdStrike states that AI-generated parsers are built from sample log records . Falcon Next-Gen SIEM analyzes those samples to learn the logs’ structure and content, so providing representative examples is the documented way to help the parser interpret and categorize data correctly.

Options A and C are not supported by CrowdStrike documentation. There is no requirement for a minimum parser length, and Next-Gen SIEM parsers are not written as Python or Java programs; CrowdStrike’s parser template shows a parser schema and script structure specific to Next-Gen SIEM.

==========

The correct answer is C. logscale-collector .

CrowdStrike’s Falcon LogScale Collector installation documentation states that the service name varies by installation method. It explicitly says that for Full Installation the service is called logscale-collector , while Custom Installation uses humio-log-collector . Since the question specifically refers to deployment using the Fleet Management interface commands , that aligns with the Full Installation workflow, so the correct service name is logscale-collector .

==========

The sample log is a comma-delimited record with values separated by commas, and some fields are enclosed in quotes. That structure matches CSV-style parsing . In CrowdStrike LogScale, parseCsv() is used for delimited logs where fields appear in a consistent order and are separated by a defined delimiter. This fits the sample shown.

Why the other options are incorrect:

A. XML is incorrect because the log does not use XML tags.

C. JSON is incorrect because the log is not in brace-based key/value JSON format.

D. Key-Value is incorrect because the fields are not expressed as key=value pairs; they are positional comma-separated values instead.

The correct answer is A. @timestamp .

CrowdStrike LogScale documentation explains that @timestamp is the event timestamp, meaning when the event actually happened, while @ingesttimestamp is when the event arrived in LogScale. If you want the rule to fire based on when the event occurred, regardless of ingestion delay, you should use @timestamp .

Why the other options are incorrect:

D. @ingesttimestamp is specifically the ingest time, not the original event time.

B and C are not the standard event-time fields documented for this use. CrowdStrike’s event field documentation centers this distinction on @timestamp versus @ingesttimestamp.

==========