CCSE Practice Exam — Free 60+ Questions | ExamCademy
CCSEPreview
By CrowdStrike
Updated
25Q per page
About the CCSE Exam
›
60Practice Questions
3Study Modes
FreeTo Get Started
Mode Selection
Question 1
Correlation Rules and Falcon Fusion SOAR
0
Question 2
Parsing and Normalization
Ask AstroTutor
0
Question 3
Parsing and Normalization
0
Question 4
Parsing and Normalization
0
Question 5
Data Ingestion and Connectors
0
Question 6
Parsing and Normalization
0
Question 7
Incident Workbench and SIEM Alerts
0
Question 8
Parsing and Normalization
0
Question 9
Data Ingestion and Connectors
0
Question 10
Parsing and Normalization
0
Question 11
Parsing and Normalization
0
Question 12
Correlation Rules and Falcon Fusion SOAR
0
Question 13
Parsing and Normalization
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Question 14
Data Ingestion and Connectors
0
Question 15
CQL Querying and Data Analysis
0
Question 16
Data Ingestion and Connectors
0
Question 17
CQL Querying and Data Analysis
0
Question 18
Incident Workbench and SIEM Alerts
0
Question 19
Parsing and Normalization
0
Question 20
Data Ingestion and Connectors
0
Question 21
Data Ingestion and Connectors
0
Question 22
Data Ingestion and Connectors
0
Question 23
Data Ingestion and Connectors
0
Question 24
Correlation Rules and Falcon Fusion SOAR
0
That's the end of the Preview
This exam has 60 community-verified practice questions. Create a free account to access all questions, comments, and explanations.
Topics covered:
Falcon Next-Gen SIEM Overview and ArchitectureData Ingestion and ConnectorsParsing and NormalizationCQL Querying and Data AnalysisIncident Workbench and SIEM AlertsCorrelation Rules and Falcon Fusion SOAR
You need to import a pre-built workflow into Fusion SOAR to automate a part of your incident response process.
Which file format would you use?
A.CPP
B.JSON
C.PY
D.YAML
Which two tags are compliant with the CrowdStrike Parsing Standard (CPS)?
A#event.type and #event.kind
B#vendor.name and #event.type
C#observer.type and #event.kind
D#observer.type and #vendor.name
You are a Next-Gen SIEM Engineer responsible for parser creation. An internal requirement is to maintain both the Vendor and ECS field names within the Fields panel in Advanced Event Search.
What is the correct method for adding the ECS field while maintaining the Vendor field in a parser?
AField Function
BRegular Expression Field Extraction
CAssignment Operator
DAs Parameter
What is the time format for the @timestamp field when data is parsed using the CrowdStrike Parsing Standard (CPS)?
AISO 8601
BUnix Time in microseconds
CHuman-readable
DUnix Time in milliseconds
What is the correct mode to enroll LogCollector into Fleet Management with configuration of the log sources stored and managed centrally in Next-Gen SIEM?
AFull
BComplete
CCentral
DlocalConfig
What are the four required CPS-compliant Event parser tags?
Which three System alerts are enabled by default in Next-Gen SIEM for third-party connectors?
AAlert if connector receives no data in 24 hoursAlert if connector is disconnectedResolve alerts within 30 days
BAlert if daily data ingestion limit exceededAlert if monthly data ingestion limit is exceededResolve alerts within 30 days
CAlert if connector is disconnectedAlert if daily data ingestion limit exceededAlert if monthly data ingestion limit is exceeded
DAlert if connector receives no data in 24 hoursAlert if daily data ingestion limit exceededAlert if monthly data ingestion limit is exceeded
Which default role will maintain least privilege and allow for creation and management of parsers?
ANG SIEM Analyst
BNG SIEM Security Lead
CNG SIEM Administrator
DNG SIEM Analyst – Read Only
A Falcon Log Collector has been configured with 4 sinks of type memory, each having a queue size of 2GB.
What is the minimum memory requirement produced by this configuration?
A9 GB
B12 GB
C10 GB
D8 GB
What should you do with a field that is not CPS-compliant when adding it to a parser?
ARemove the field from the parser output
BLeave the field unchanged
CConvert the field to ECS format
DPrefix the field with Vendor
Review the log sample below:
What type of parser should be used to extract fields and values from this log?
AXML
BCSV
CJSON
DKey-Value
What is the maximum number of active correlation rules in a CID?
A1000
B250
C750
D500
Review the log event below:
{"ts": "2018/11/01 14:31:10", "server": "webOl", "message": "Out of memory"}
Which parsing function is correct to add a missing timezone field?
What is the first consideration when determining the necessary sizing requirements for log collector clients in a Next-Gen SIEM deployment?
AThe expected daily log volume from each data source
BThe available network bandwidth between the log collectors and the Next-Gen SIEM platform
CThe number of concurrent users accessing the Next-Gen SIEM console
DThe processing power and memory of the log collector host systems
What is the purpose of labels in Fleet Management?
ASet passwords for collector instances
BCategorize collectors for group configurations
CMonitor network traffic
DAssign IP addresses to collectors
What dashboard presents a view of third-party data ingestion over the past 30 days?
ASensor Usage Dashboard
BSensor Subscription Dashboard
CFalcon Flex Dashboard
DNext-Gen SIEM Connector Dashboard
You want a Next-Gen SIEM dashboard to update automatically when new data is available.
Which action would you take?
AToggle the "Live" button to on
BChange the "Fixed Time Range" to the current date
CChange the "Relative Time Range" interval to 1 millisecond ago
DChange the "Start Time" interval to 1 hour
You are creating a dashboard in Next-Gen SIEM and want to change the visualization used by a widget.
What must be selected to make this change?
AInteractions options
BEdit in Search view
CStyling options
Which are valid parse functions in CQL?
AparseCEF()parseIETF()parseJson()
BparseCEF()parseJson()parseXml()
CparseCEF()parseIETF()parseXml()
DparseIETF()parseJson()parseXml()
You are configuring third-party data for ingestion. Once a connection is established, you see the HTTP response code 413 as received by your data shipper.
What does this response code indicate?
ABad request. Might indicate invalid data format or no data.
BBad request. Connection is accessing non-existent endpoints.
CThis transient error might occur in rare cases. Wait and retry the request.
DBad request. The payload size exceeds the allowed limit.
You find a Falcon Log Collector instance on a Linux system that is not connected to Fleet Management.
What command would you use to enroll the Falcon Log Collector?
Which statement is accurate about how data ingest is measured and represented in Next-Gen SIEM?
AAverage GB/day for all sources (pre-parsing)
BAverage GB/month for first and third-party sources (pre-parsing)
CAverage GB/month for all sources (post-parsing)
DAverage GB/day for third-party sources only (pre-parsing)
You need to ingest a data source into Next-Gen SIEM. There is a prebuilt Pull connector.
What is required to configure the connector?
AHEC token
BFalcon Log Collector hostname
CFalcon API URL
DData Source API key
Which sequence correctly describes the process for duplicating a workflow in Fusion SOAR?
AGo to Fusion SOAR > Workflow Management > Select "All Workflows" tab > Right-click on the workflow to duplicate > Select "Clone Workflow" > Modify workflow parameters > Click "Validate" > Set workflow status > Click Apply Changes
BGo to Fusion SOAR > Fusion SOAR > Workflows > Select the checkbox next to the workflow you want to duplicate > Click "Actions" at the top of the page > Select "Create Copy" > Edit workflow name and description > Configure trigger conditions > Click Next > Review workflow canvas > Click Finish
CGo to Fusion SOAR > Fusion SOAR > Workflows > Click Open (three dots) menu for the workflow you want to duplicate > Click "Duplicate workflow" > Update and rename the duplicated workflow > Click Save and exit to save the updated workflow
DGo to Fusion SOAR > Fusion SOAR > Workflows > Find the workflow to duplicate > Click the workflow name > Select "Duplicate" from Actions menu > Edit the workflow configuration > Click "Create" to generate the new workflow > Set Status to On
Preview
