The correct answer is B . CrowdStrike’s query best-practices documentation says to filter first , then do transformations/formatting, then aggregate , and finally do any output-style post-processing such as table/sorting. Among the choices given, Filter > Aggregate > Format is the best match because formatting/output belongs at the end for efficiency.
This is also consistent with CrowdStrike’s explanation that CQL pipelines chain filter and transformation steps before aggregate functions, and that aggregate functions produce new result structures rather than raw events.
==========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit