The correct answer is A. 9 GB .
CrowdStrike's Falcon LogScale Collector sizing documentation states that memory requirement for memory queues is linearly proportional to the number of sinks plus a constant baseline requirement of 1 GB .
The documentation gives a worked example: 1 GB baseline + queue sizes for each sink .
For this question:
* Number of sinks = 4
* Queue size per sink = 2 GB
* Total sink memory = 4 × 2 GB = 8 GB
* Add baseline memory = 1 GB
So the minimum memory requirement is:
8 GB + 1 GB = 9 GB .
That is why:
* A. 9 GB is correct
* B. 12 GB , C. 10 GB , and D. 8 GB are incorrect because they do not match CrowdStrike's documented sizing formula for memory queues.

CrowdStrike LogScale documentation states that groupBy() is used to group events by one or more specified fields, similar to SQL GROUP BY. The documentation also says the function parameter accepts aggregate functions, and its default is count(as=_count). That means the query that explicitly groups by ComputerName, UserName, and CommandLine and applies function=count() is the correct way to output the frequency of each unique combination of those three fields.
Why the other options are incorrect:
A is incorrect because table() formats output rows but does not aggregate unique combinations into frequencies the way groupBy() does. Adding count() after table() does not produce grouped counts for each unique triplet. B is incorrect because table() is not the aggregation function documented for grouped frequency counting; groupBy() is. D is close, but it relies on the default count behavior rather than explicitly specifying function=count(). Since the question asks which query will output the frequency of a unique set, C is the most correct and explicit choice.

The correct answer is D. @event_parsed .
CrowdStrike LogScale's parser error documentation explicitly states that @event_parsed indicates whether the event has been successfully parsed during ingest . The same documentation says it is set to false when there was a parsing error. That exactly matches the question.
Why the other options are incorrect:
@ingesttimestamp represents the time the platform ingested the event, not whether parsing succeeded.
@rawstring contains the original raw event data. @error_msg can contain error details, but it is not the primary field that directly indicates parse success or failure. The field CrowdStrike documents for parsing status is @event_parsed .

The correct answer is A . CrowdStrike LogScale documentation says the Live checkbox controls whether dashboard widget queries run as live or static queries. When enabled, the dashboard continuously updates with real-time data , which is exactly what the question asks for.

The correct answer is D. Next-Gen SIEM Connector Dashboard .
CrowdStrike describes the Falcon Next-Gen SIEM Connector Dashboard as the place to understand the status and volume of data ingestion for third-party sources. This matches the question's requirement for a dashboard showing third-party ingestion visibility.
The other options are not aimed at third-party SIEM connector ingestion monitoring:
* Sensor Usage Dashboard relates to Falcon sensor usage, not connector-based third-party ingestion.
* Sensor Subscription Dashboard is about licensing/subscription counts.
* Falcon Flex Dashboard is related to subscription consumption and commercial usage, not connector ingestion telemetry.