CrowdStrike CCSE-204 - CrowdStrike Certified SIEM Engineer

The least-privilege role for users who only need to view dashboards, searches, and investigation data without making changes is NG SIEM Analyst – Read Only . This role is designed for visibility without content modification or administrative access. The other roles provide broader operational or management permissions.

==========

The correct answer is C. #observer.type and #event.kind .

CrowdStrike’s CPS migration documentation lists the CPS-compliant parser tags, including #event.dataset , #event.kind , #event.module , and #observer.type . Since both #observer.type and #event.kind are explicitly listed, option C is the correct pair.

Why the other options are incorrect:

The documentation lists #Vendor as a tag, not #vendor.name , and it does not list #event.type among the CPS parser tags in the tag list. That makes options A, B, and D incorrect.

The correct answer is C. Quick insights without manual setup .

CrowdStrike describes Falcon Next-Gen SIEM as providing pre-built dashboards and says teams can quickly understand security and system health with prebuilt dashboards for data collection health, SOAR workflow executions, security trends, and more. That directly supports the idea that the main benefit is getting fast visibility and insights without having to build everything manually first .

Why the other options are incorrect:

A is incorrect because dashboards are for visualization and insight, not primarily for raw log access. B is incorrect because custom queries are a separate search capability, not the main value proposition of built-in dashboards. D is incorrect because CrowdStrike emphasizes using pre-built and custom dashboards for visualization, not modifying dashboard source code as the primary benefit.

==========

The correct answer is C . Default system alerting for third-party connectors in Next-Gen SIEM focuses on connector health and ingestion-governance conditions. The three enabled-by-default alerts are: connector disconnected , daily data ingestion limit exceeded , and monthly data ingestion limit exceeded . These three alert conditions monitor both connectivity and consumption thresholds for third-party data connectors. Options containing “Resolve alerts within 30 days” are incorrect because that is not an alert condition.

==========

The correct answer is C. NGSIEM with both read and write permissions .

CrowdStrike integration guidance for querying Next-Gen SIEM event data states that the API client needs the NGSIEM scope with both Read and Write permissions . The documentation explains why: Write is required to create the search/query job, and Read is required to retrieve the query results.

Why the other options are incorrect:

A is incorrect because the documented requirement is Read + Write ; there is no documented “execute” permission in the cited guidance. B is incorrect because read-only access would let you read results but not create the query job. D is incorrect because write-only access would let you submit the job but not read the results back.

==========

The correct answer is A. CrowdStrike Parsing Standard (CPS) compliant parser .

CrowdStrike’s parsing documentation says CPS is used to normalize and validate data so field names and structures are standardized across data sources for more consistent searching and analysis . CPS-compliant parsers also require specific tags and field population rules, which is exactly what makes incoming data searchable and detection-ready in Falcon Next-Gen SIEM.

The other options are not the general standard CrowdStrike uses for detection-ready normalization:

Charlotte AI-generated parser is not the documented parser standard.

VMWare ESXI parser and Linux syslog parser may describe source-specific parsers, but the question asks for the parser type used generally to transform incoming data into normalized, searchable events. That is CPS.

==========

The Falcon SIEM Connector requires an API client with Read access to Event Streams . This permission allows the connector to authenticate to Falcon and receive streaming event data. Other permissions such as Hosts, Incidents, or Detection Management are not the required permission for establishing Falcon event-stream ingestion.

==========

The correct answer is C. Falcon Foundry .

CrowdStrike describes Falcon Foundry as its application development platform for building custom apps on the Falcon platform. CrowdStrike’s materials state that Falcon Foundry allows customers to quickly create their own apps, and the Foundry documentation/blog content shows it supports application logic and storage needed for custom workflows and monitoring use cases. That is exactly what fits a requirement to build an app that monitors a defined set of high-risk users and triggers alerts on suspicious activity.

Why the other options are incorrect:

Falcon QueryBuilder is for constructing queries, not building an application. Falcon Spotlight is CrowdStrike’s vulnerability management capability, not an app-development framework. Charlotte AI is an AI assistant capability, not the platform feature used to develop custom monitoring apps. The only option that matches “develop this app” is Falcon Foundry .

In the Next-Gen SIEM Connector Dashboard (specifically within the CrowdStrike Falcon ecosystem), the maximum retention period for which you can query third-party data ingestion metrics is 90 days .

Why 90 Days?

While the actual log data (telemetry) in a Next-Gen SIEM can often be retained for a year or longer depending on the subscription (e.g., 365 days), the health and ingestion metrics —which include data such as volume throughput, connector status, and ingestion rates—are typically stored for a shorter duration. This 90-day window is designed to provide enough historical context for:

Troubleshooting: Identifying when a specific connector started failing.

Trend Analysis: Monitoring changes in data volume over a fiscal quarter.

Capacity Planning: Reviewing average ingestion rates to ensure they stay within licensed limits.