CrowdStrike Certified SIEM Engineer (CCSE-204) Free Practice Test

Question 1

Which CQL statement below includes correct placement of the AND statements and the pipe symbol?

A. #sourcefile="jobfilename" | stdout=/\[[\+]\] / | groupBy([hostname], function=collect([hostname,stdout] )) | stdout != "" AND stdout != "* No artifacts *" AND select([hostname,stdout])

B. #sourcefile="jobfilename" | stdout=/\[[\+]\] / AND groupBy([hostname], function=collect([hostname, stdout] )) AND stdout ! = "" | stdout != "* No artifacts *" | select([hostname,stdout])

C. #sourcefile="jobfilename" AND stdout=/\[[\+]\] / | groupBy([hostname], function=collect([hostname, stdout] )) AND stdout != "" AND stdout != "* No artifacts *" | select([hostname,stdout])

D. #sourcefile="jobfilename" AND stdout=/\[[\+]\] / | groupBy([hostname], function=collect([hostname, stdout] )) | stdout != "" AND stdout != "* No artifacts *" | select([hostname,stdout])

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

You have been tasked with parsing the following space-delimited log:
2025-06-03 12:13:07 johndoe 192.168.5.15 login
The log source data is guaranteed to always be in the same order.
Which function can parse this log?

A. parseFixedWidth()

B. parseCEF()

C. parseJson()

D. parseCsv()

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

The parseJson() function would be used to parse which log message format from the list below?

A. 192.168.1.1 [192.168.1.1] - - [10/May/2024:14:23:11 +0000] "GET/index.html"

B. 2024-05-10T14:23:11Z INFO Service started

C. level=debug msg="Disconnected" host=app01

D. { "level": "info", "msg": "User login", "user": "john_doe" }

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

A correlation rule is generating a high volume of detections. You have been asked to temporarily deactivate it so your team can investigate.
What will happen to previously generated detections while the rule is in a deactivated state?

A. They will be immediately deleted from the console

B. They will not be impacted and will remain within the console

C. Their status will change to closed and tagged as true positives in the console

D. Their status will change to closed and tagged as false positives in the console

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

What is the correct mode to enroll LogCollector into Fleet Management with configuration of the log sources stored and managed centrally in Next-Gen SIEM?

A. Complete

B. Central

C. Full

D. localConfig

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

Which function is most appropriate for extracting fields from logs formatted as key=value pairs?

A. kvParse()

B. parseXml()

C. parseJson()

D. parseCsv()

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

You notice that the format of incoming logs suddenly changes from JSON format to key-value pairs during log collection.
What action would you take to parse the data correctly?

A. Disable parsing entirely

B. Switch to fleet mode and monitor the logs

C. Restart the log collector in debug mode

D. Use a multi-source configuration with different parsers per source

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

CrowdStrike Certified SIEM Engineer (CCSE-204) Free Practice Test