CrowdStrike CCSE - CrowdStrike Certified SIEM Engineer Exam
Page: 2 / 12
Total 60 questions
Question #6 (Topic: Exam A)
As a Next-Gen SIEM Engineer, you are responsible for managing and tuning correlation rules to improve the detection of potential security incidents. One of your correlation rules is designed to detect multiple failed login attempts that are followed by a successful login within a short time frame.
Which step would you take to tune this correlation rule to reduce false positives while maintaining its effectiveness?
Which step would you take to tune this correlation rule to reduce false positives while maintaining its effectiveness?
A. Increase the time window for detecting multiple failed login attempts to capture more data
B. Add a condition to exclude known trusted IP addresses from triggering the rule
C. Decrease the threshold for the number of failed login attempts required to trigger the rule
D. Remove the condition for a successful login to simplify the rule
Answer: B
Question #7 (Topic: Exam A)
Which statement is accurate about how data ingest is measured and represented in Next-Gen SIEM?
A. Average GB/day for all sources (pre-parsing)
B. Average GB/month for first and third-party sources (pre-parsing)
C. Average GB/month for all sources (post-parsing)
D. Average GB/day for third-party sources only (pre-parsing)
Answer: A
Question #8 (Topic: Exam A)
Following the principle of least privilege, which is the appropriate role to grant a Falcon Next-Gen SIEM user the permissions to read case data and write XDR data while denying the permission to write case templates?
A. NG SIEM Security Lead
B. NG SIEM Analyst – Read Only
C. NG SIEM Analyst
D. NGSIEM Administrator
Answer: C
Question #9 (Topic: Exam A)
You need to ingest data from a custom internal application hosted on-prem. The application writes logs to a file on a syslog server.
Which data connector would you use?
Which data connector would you use?
A. Google Cloud Pub / Sub Data Connector
B. HTTP Event Connector
C. Amazon S3 Data Connector
D. Azure Virtual Machines Data Connector
Answer: B
Question #10 (Topic: Exam A)
You find a Falcon Log Collector instance on a Linux system that is not connected to Fleet Management.
What command would you use to enroll the Falcon Log Collector?
What command would you use to enroll the Falcon Log Collector?
A. "C:\Program Files (x86)\CrowdStrike\Humio Log Collector\humio-log-collector.exe" enroll <TOKEN>
B. sudo logscale-collector enroll <TOKEN>
C. sudo humio-log-collector enroll <TOKEN>
D. sudo humio-log-collector --token <TOKEN> enroll
Answer: C
