CrowdStrike CCSE-204 - CrowdStrike Certified SIEM Engineer

CrowdStrike’s Fleet Management documentation for Falcon LogScale Collector explains that labels are used to associate metadata with a Fleet Management configuration and with collector instances so they can be tagged, identified, organized, and filtered. The docs specifically describe labels as helping organize collectors by criteria such as environment, region, service, or other custom values. That directly matches option B: Categorize collectors for group configurations .

Why the other options are incorrect:

Option A is incorrect because labels are not used for authentication or password management.

Option C is incorrect because labels do not perform traffic monitoring; they are metadata for organization and selection.

Option D is incorrect because labels do not assign network settings such as IP addresses.

The correct answer is C. Select “Manage Internal Logging” from the menu .

CrowdStrike LogScale Collector documentation for Fleet Management explicitly describes the steps to enable internal logging from the Fleet view. It says to go to Data Ingest > Fleet Overview , click the ellipsis next to the specific collector instance, and then click Manage Internal Logging . From there, you can enable logging and choose where to send it.

Why the other options are incorrect:

A is incorrect because reinstalling the collector is not required. B is incorrect because the question specifically asks how to do it from the Fleet view , and the documented UI action is through the menu in Fleet Management, not by manually editing the local config. D is incorrect because the documentation does not describe enabling internal logging by restarting the service with a special flag.

==========

CrowdStrike LogScale documentation states that groupBy() is used to group events by one or more specified fields, similar to SQL GROUP BY. The documentation also says the function parameter accepts aggregate functions, and its default is count(as=_count). That means the query that explicitly groups by ComputerName, UserName, and CommandLine and applies function=count() is the correct way to output the frequency of each unique combination of those three fields.

Why the other options are incorrect:

A is incorrect because table() formats output rows but does not aggregate unique combinations into frequencies the way groupBy() does. Adding count() after table() does not produce grouped counts for each unique triplet. B is incorrect because table() is not the aggregation function documented for grouped frequency counting; groupBy() is. D is close, but it relies on the default count behavior rather than explicitly specifying function=count(). Since the question asks which query will output the frequency of a unique set, C is the most correct and explicit choice.

The correct answer is A . Deactivating a correlation rule stops it from generating new detections, but previously generated detections remain available in the console for review and investigation. Rule deactivation affects future rule execution state rather than retroactively changing, closing, or deleting detections that have already been created. That is why options B, C, and D are incorrect.

==========

The correct answer is C. Number of concurrent requests a sink is using .

CrowdStrike’s Falcon LogScale Collector sizing guidance states that in high throughput scenarios where the ingestion endpoint becomes a bottleneck, it can be beneficial to increase the number of concurrent requests a sink is using through the workers setting. The docs explicitly say this helps when the number of parallel requests is limiting throughput.

The same document also explains why D is wrong: increasing the memory queue size does not increase sink throughput. The queue exists to keep data available for the sink; if throughput is lower than the incoming data rate, the queue will eventually fill up anyway.

So:

C is correct because more sink workers can improve performance in high-volume conditions.

D is incorrect because queue size does not fix the throughput bottleneck.

A and B are not the documented tuning setting for this issue in the collector guidance.

==========

The correct answer is B. sudo logscale-collector enroll < TOKEN > .

Current CrowdStrike LogScale Collector documentation shows the enrollment command using the logscale-collector binary. For example, the macOS custom installation page explicitly shows:

sudo logscale-collector enroll enrolltoken

The Fleet Management enrollment documentation also explains that you copy the enrollment command from the UI and run it on the machine hosting the collector.

Why the other options are incorrect:

A is a Windows path, not Linux. C reflects the older humio-log-collector naming that existed in earlier versions and release history, but the current docs use logscale-collector for the enrollment command. D does not match the documented command syntax. CrowdStrike’s current documentation centers the enrollment workflow on logscale-collector enroll < token > .

==========

The correct answer is A. 9 GB .

CrowdStrike’s Falcon LogScale Collector sizing documentation states that memory requirement for memory queues is linearly proportional to the number of sinks plus a constant baseline requirement of 1 GB . The documentation gives a worked example: 1 GB baseline + queue sizes for each sink .

For this question:

Number of sinks = 4

Queue size per sink = 2 GB

Total sink memory = 4 × 2 GB = 8 GB

Add baseline memory = 1 GB

So the minimum memory requirement is:

8 GB + 1 GB = 9 GB .

That is why:

A. 9 GB is correct

B. 12 GB , C. 10 GB , and D. 8 GB are incorrect because they do not match CrowdStrike’s documented sizing formula for memory queues.