The correct answer is B. #event.dataset .

CrowdStrike’s CPS documentation explicitly lists #event.dataset as one of the CPS-compliant parser tags. The CPS migration documentation also repeats that CPS-compliant parsers use tags for fields including #ecs.version , #event.dataset , and #event.kind .

Why the other options are incorrect:

Parser.type and Parser.name are not listed as CPS-compliant tags in the CPS standard.

#event.trigger is also not listed among the CPS-compliant fields/tags.

Therefore, the only CPS-compliant option given is #event.dataset .

==========

The correct answer is B .

CrowdStrike’s Falcon LogScale Collector debug documentation says the monitor command launches a monitor terminal application and can be used to see a live view of the running state of the collector. It explicitly states that the running sources, queues and sinks can be inspected in real time . That exactly matches the question.

Why the other options are incorrect:

A can help review service logs, but it is not the documented real-time visualization command for sources and sinks.

C and D do not match the documented command for this purpose in the collector troubleshooting documentation.

==========

The sample log is a comma-delimited record with values separated by commas, and some fields are enclosed in quotes. That structure matches CSV-style parsing . In CrowdStrike LogScale, parseCsv() is used for delimited logs where fields appear in a consistent order and are separated by a defined delimiter. This fits the sample shown.

Why the other options are incorrect:

A. XML is incorrect because the log does not use XML tags.

C. JSON is incorrect because the log is not in brace-based key/value JSON format.

D. Key-Value is incorrect because the fields are not expressed as key=value pairs; they are positional comma-separated values instead.

The correct answer is D . CrowdStrike LogScale’s timestamp parsing documentation gives this exact pattern as the example for a JSON event whose ts field contains 2018/11/01 14:31:10 with no timezone present. The documented solution is:

parseJson() | parseTimestamp("yyyy/MM/dd HH:mm:ss", timezone="Europe/Paris", field=ts)

This works because the event is JSON, so parseJson() is the right first step, and the timestamp format matches the sample exactly. Since the timestamp string does not include timezone information, CrowdStrike documentation says you must provide a timezone parameter to parseTimestamp().

Why the other options are incorrect:

A is wrong because the format string does not match the timestamp. The event uses 2018/11/01 14:31:10, which is yyyy/MM/dd HH:mm:ss, not dd/MMM/yyyy:HH:mm:ss Z. Also, the sample timestamp does not include a Z timezone token in the raw string. B and C are wrong because kvParse() is for key-value logs, not JSON logs, and this event is clearly JSON. CrowdStrike’s built-in parser documentation distinguishes JSON parsing from KV parsing, and the timestamp example for missing timezone specifically uses parseJson() with parseTimestamp().

==========

kvParse() is designed for logs that use key=value structure. It extracts the keys and values into searchable fields. parseJson() is for JSON objects, parseCsv() is for delimited positional records, and parseXml() is for XML-formatted content.

==========

The correct answer is B. sudo logscale-collector enroll < TOKEN > .

Current CrowdStrike LogScale Collector documentation shows the enrollment command using the logscale-collector binary. For example, the macOS custom installation page explicitly shows:

sudo logscale-collector enroll enrolltoken

The Fleet Management enrollment documentation also explains that you copy the enrollment command from the UI and run it on the machine hosting the collector.

Why the other options are incorrect:

A is a Windows path, not Linux. C reflects the older humio-log-collector naming that existed in earlier versions and release history, but the current docs use logscale-collector for the enrollment command. D does not match the documented command syntax. CrowdStrike’s current documentation centers the enrollment workflow on logscale-collector enroll < token > .

==========

The correct answer is B . The best tuning step is to exclude known trusted IP addresses so the rule still detects suspicious sequences while removing known-benign sources of repeated authentication activity. CrowdStrike has publicly documented this tuning principle in detection content guidance, noting that to avoid false positives, organizations may want to exclude certain IP ranges, ASNs, or ISPs from a rule when those sources are expected or trusted. That directly supports the idea that adding a trusted-IP exclusion reduces noise while preserving the core detection logic.

Why the other options are incorrect:

A would usually increase noise because a larger time window captures more benign failed logins. C would also increase false positives because lowering the failed-attempt threshold makes the rule easier to trigger. D weakens the original attack logic by removing the “failed logins followed by success” sequence that makes the rule more specific and meaningful. Keeping the core sequence intact while adding exclusions for known benign sources is the most precise tuning approach.