CrowdStrike CCSE-204 Exam With Confidence Using Practice Dumps

The correct answer is A . Deactivating a correlation rule stops it from generating new detections, but previously generated detections remain available in the console for review and investigation. Rule deactivation affects future rule execution state rather than retroactively changing, closing, or deleting detections that have already been created. That is why options B, C, and D are incorrect.

==========

kvParse() is designed for logs that use key=value structure. It extracts the keys and values into searchable fields. parseJson() is for JSON objects, parseCsv() is for delimited positional records, and parseXml() is for XML-formatted content.

==========

The correct answer is C .

CrowdStrike’s CPS documentation explicitly lists the CPS-compliant parser tags, and the relevant four event parser tags in that list are #event.dataset , #event.kind , #event.module , and #event.outcome . That exactly matches option C.

Why the other options are incorrect:

event.category is an important event categorization field in CPS, but it is not one of the four parser tags listed in the CPS tag set that this question is asking about. The documented parser tag list includes event.dataset , event.kind , event.module , and event.outcome .