Free CrowdStrike CCSE-204 Practice Exam with Questions & Answers

The correct answer is A. 9 GB .

CrowdStrike’s Falcon LogScale Collector sizing documentation states that memory requirement for memory queues is linearly proportional to the number of sinks plus a constant baseline requirement of 1 GB . The documentation gives a worked example: 1 GB baseline + queue sizes for each sink .

For this question:

Number of sinks = 4

Queue size per sink = 2 GB

Total sink memory = 4 × 2 GB = 8 GB

Add baseline memory = 1 GB

So the minimum memory requirement is:

8 GB + 1 GB = 9 GB .

That is why:

A. 9 GB is correct

B. 12 GB , C. 10 GB , and D. 8 GB are incorrect because they do not match CrowdStrike’s documented sizing formula for memory queues.

The correct answer is C. Assignment Operator .

In Falcon LogScale parser and query syntax, the assignment operator := is used to assign a value to a new field. CrowdStrike’s LogScale documentation explains that := is shorthand for eval, and that it can also be used as shorthand with functions that support an as parameter to assign results to a named output field. This is the right approach when you want to create an ECS field while preserving the existing Vendor field , because you are creating an additional field rather than replacing the original one.

Why the other options are not the best answer:

Regular Expression Field Extraction is used to extract values from raw text when the value is not already parsed, so it is not the normal choice when you already have a Vendor field and simply want to map it to an ECS field as well. As Parameter can name the output field of certain functions, but the CrowdStrike documentation for rename() shows that renaming changes the field name, which does not meet the requirement to keep both field names visible. The rename() examples explicitly state that the original field names are replaced with the new field names.

So for a parser requirement that says “add ECS while maintaining Vendor,” the operationally correct method is to assign the Vendor value into a new ECS field , not rename the Vendor field away.

==========

The correct answer is B. NG SIEM Security Lead . Parser creation and management requires elevated SIEM content and configuration capabilities that go beyond standard analyst activity, but it does not require the full breadth of platform-wide administrative control. NG SIEM Security Lead is the default role that best fits parser management while still maintaining least privilege compared with NG SIEM Administrator . NG SIEM Analyst and NG SIEM Analyst – Read Only do not provide the content-management level access needed for parser administration. CrowdStrike’s SIEM role separation supports using the Security Lead role for advanced SIEM content configuration tasks.

==========

@timestamp represents the time the event actually occurred and is the appropriate field for event-time-based detections and correlations. @ingesttimestamp reflects when the platform received the event, which may differ due to delays. @rawstring is raw event content, and @id is not a time field.

==========

The correct answer is B . CrowdStrike’s query best-practices documentation says to filter first , then do transformations/formatting, then aggregate , and finally do any output-style post-processing such as table/sorting. Among the choices given, Filter > Aggregate > Format is the best match because formatting/output belongs at the end for efficiency.

This is also consistent with CrowdStrike’s explanation that CQL pipelines chain filter and transformation steps before aggregate functions, and that aggregate functions produce new result structures rather than raw events.

==========

The correct answer is D. Next-Gen SIEM Connector Dashboard .

CrowdStrike describes the Falcon Next-Gen SIEM Connector Dashboard as the place to understand the status and volume of data ingestion for third-party sources. This matches the question’s requirement for a dashboard showing third-party ingestion visibility.

The other options are not aimed at third-party SIEM connector ingestion monitoring:

Sensor Usage Dashboard relates to Falcon sensor usage, not connector-based third-party ingestion.

Sensor Subscription Dashboard is about licensing/subscription counts.

Falcon Flex Dashboard is related to subscription consumption and commercial usage, not connector ingestion telemetry.

==========

When a third-party connector is disconnected, the correct response is to review the connector’s configuration, authentication, and health state, then reconnect or reauthorize it as needed. Deleting the parser does not address the connectivity problem, and ignoring the issue delays restoration of ingestion visibility.

==========

The correct answer is D. Syslog . The sample log follows classic syslog structure: a syslog-style timestamp, hostname, process name with PID, and message body. CrowdStrike’s LogScale Collector documentation includes Syslog as a source/parser context for logs of this format, making Syslog the appropriate default parser choice here.

==========

The sample log is a comma-delimited record with values separated by commas, and some fields are enclosed in quotes. That structure matches CSV-style parsing . In CrowdStrike LogScale, parseCsv() is used for delimited logs where fields appear in a consistent order and are separated by a defined delimiter. This fits the sample shown.

Why the other options are incorrect:

A. XML is incorrect because the log does not use XML tags.

C. JSON is incorrect because the log is not in brace-based key/value JSON format.

D. Key-Value is incorrect because the fields are not expressed as key=value pairs; they are positional comma-separated values instead.

The correct answer is C .

CrowdStrike’s CPS documentation explicitly lists the CPS-compliant parser tags, and the relevant four event parser tags in that list are #event.dataset , #event.kind , #event.module , and #event.outcome . That exactly matches option C.

Why the other options are incorrect:

event.category is an important event categorization field in CPS, but it is not one of the four parser tags listed in the CPS tag set that this question is asking about. The documented parser tag list includes event.dataset , event.kind , event.module , and event.outcome .