CertPrepNow
CrowdStrikeCCSA-2054 domains

CCSA-205 Exam Notes

Last-minute traps, must-know facts, and scenario tips for the CrowdStrike Certified SIEM Analyst exam.

General Exam Tips

  • 1.The passing score is 80% — you can only miss about 12 of 60 questions. Approach every question as if it could be the one that makes or breaks your pass.
  • 2.Read ALL answer options before choosing. Many distractors are nearly correct but apply the right concept to the wrong scenario or use the right tool at the wrong step.
  • 3.Incident Investigation (40%) alone is 24 questions. If you run out of preparation time, prioritize this domain above all others.
  • 4.Scenario questions always embed the key discriminator in the constraint clause — phrases like 'across both data sources', 'immediately', 'first', or 'MOST appropriate' determine which answer is correct.
  • 5.When a question asks what to do FIRST, eliminate escalation and automation answers — investigation must come before action unless the threat is already confirmed and active.
  • 6.When choosing between CPS normalized fields vs vendor-specific fields in a query, the constraint 'across multiple data sources' always means use CPS fields.
  • 7.If two answers use the same tool, look at WHEN that tool is used — Case Management is for documenting after investigation, not during initial detection triage.
  • 8.Flag hard questions and move on. There is no penalty for wrong answers — always answer every question, even if guessing.
  • 9.Time management: 90 minutes for 60 questions = 90 seconds per question average. Scenario questions take longer — keep moving.
  • 10.The exam tests analyst judgment, not memorization. For each scenario, ask yourself: what would a SOC analyst actually do first before taking action?
Domain 125% of exam

Querying and Analytics

Must-Know Facts

  • CQL uses pipe syntax to chain operations left-to-right. Filters come first, then functions. You cannot place a function before its input filter in the same stage.
  • OR binds closer (higher precedence) than AND in CQL — the opposite of most programming languages and SQL. Without parentheses, 'a AND b OR c' evaluates as 'a AND (b OR c)', not '(a AND b) OR c'.
  • AND and OR operators cannot be used directly with CQL functions — use pipes to chain function calls instead of boolean operators between them.
  • The top() function handles counting and ranking internally. Piping groupBy() before top() is redundant — top() already counts. This is a common error in exam CQL answer options.
  • CrowdStrike Parsing Standard (CPS) normalized fields (e.g., source.ip, user.name, event.action, destination.port) work across ALL data sources. Vendor-specific field names only work for their specific source.
  • timeChart() is the correct function for time-series trend visualizations. groupBy() produces counts by category, not by time. For 'show me volume over time' scenarios, timeChart is the answer.
  • Free-text search matches raw log text across all fields. Field-specific filtering (field=value) is more precise and performant. Both have exam scenarios — match the approach to the requirement.
  • The field existence check pattern: 'fieldname = *' matches events where the field exists. 'fieldname != *' matches events where it does not. This is non-obvious CQL syntax that appears in query construction questions.
  • Pivoting in CQL means taking a value from one result and using it to construct a new query against a different data source — the investigation technique of following observable connections through different log repositories.
  • Implicit AND: space-separated terms in CQL are joined with AND. 'failed login' is equivalent to 'failed AND login' — know this when interpreting provided query snippets in exam questions.

Common Traps

TrapOR has lower precedence than AND in CQL, just like most languages
RealityOR has HIGHER precedence than AND in CQL. 'event=login AND user=admin OR user=root' evaluates as 'event=login AND (user=admin OR user=root)'. Always use parentheses in complex boolean expressions to avoid unexpected evaluation order.
TrapYou can use AND/OR to combine CQL functions: regex(/pattern/) AND in(field, values=[...])
RealityAND and OR do NOT work with CQL function calls. You must use pipes: regex(/pattern/) | in(field, values=[...]). Using boolean operators between function calls is a syntax error.
TrapgroupBy(user.name) | top(user.name) correctly finds the top users by count
RealitygroupBy() before top() is redundant. top() already counts and ranks by the specified field. The correct query is simply: filter | top(user.name, limit=10). Adding groupBy first produces an incorrect pipeline.
TrapPrebuilt scripts and correlation rules both automate detection
RealityPrebuilt scripts are manually executed analyst tools for threat hunting and investigation. Correlation rules run continuously and automatically generate alerts. Scripts are on-demand; rules are persistent automated detection. The exam tests whether you can distinguish these two roles.
TrapAny anomaly in query results indicates malicious activity
RealityAnomalous patterns require further investigation before drawing conclusions. A host with 47 external connections may be a CDN, web server, or patch system. The exam specifically tests whether you investigate before acting, not whether you recognize the anomaly.

Confusing Pairs

CPS Normalized Fields (source.ip, user.name)Vendor-Specific Fields (src_ip, username)

CPS fields = ECS-based names that work across ALL data sources regardless of origin. Vendor fields = source-specific names that only work for one data source. Use CPS when writing cross-source queries. The exam signals this with phrases like 'across both firewall and identity logs' or 'without rewriting the query per source'.

top() functiongroupBy() + stats(count()) combination

top(field, limit=N) = single function that counts occurrences and returns the top N by count. groupBy(field) | stats(count()) = explicit aggregation pipeline. Both work, but top() is more concise. The exam traps candidates into adding groupBy before top(), which is wrong — top() already handles counting.

timeChart() visualizationgroupBy() aggregation

timeChart(span=1d) = time-series chart showing how a metric changes over time periods (trend analysis). groupBy(field) = categorical aggregation showing totals per group value (count by category). For 'how has X changed over 90 days' questions, choose timeChart. For 'which user has the most events' questions, choose groupBy or top.

Free-Text SearchField-Based Filter (field=value)

Free-text search scans raw log content across all fields — broad but imprecise, slower on large datasets. Field-based filtering targets a specific field value — precise and performant. Use free-text when field names are unknown or for broad hunting. Use field filters for targeted investigation queries.

Scenario Tips

If the question asks about:

The question asks for a query that works across firewall logs AND identity provider logs without writing separate queries for each source.

Answer:

Use CPS normalized field names (source.ip, event.action, user.name). CPS normalization means the same field name resolves correctly from both data sources.

Distractor to avoid:

Writing separate queries per source is inefficient and does not correlate the data. Using vendor-specific fields breaks when applied to the other source.

If the question asks about:

A manager wants a visualization showing how the volume of failed login attempts has changed over the past 30 days.

Answer:

Use timeChart(span=1d, function=count()) filtered on failed authentication events. This produces the time-series trend view the manager needs.

Distractor to avoid:

groupBy(source.ip) shows which IPs are attacking most, not how volume changed over time. stats(count()) returns a single total, losing all temporal information.

If the question asks about:

An analyst runs a query and sees a host connecting to 50 unique external IPs in 5 minutes. What should the analyst do FIRST?

Answer:

Pivot on the host to investigate the nature of those connections — check destination IPs, ports, processes, and whether the host role (web server, CDN node, etc.) explains the behavior.

Distractor to avoid:

Immediately containing the host (SOAR) assumes malicious intent before confirming it. Creating a correlation rule addresses future detection, not the current finding.

If the question asks about:

A query requires combining two filter functions: regex(/pattern/) and checking if a field value is in a list.

Answer:

Use pipes: regex(/pattern/) | in(field, values=[...]). CQL functions cannot be combined with AND/OR operators — use pipe chaining.

Distractor to avoid:

regex(/pattern/) AND in(field, values=[...]) is a syntax error in CQL. This trap is specifically called out in CQL documentation.

Last-Minute Facts

1OR precedence > AND precedence in CQL (opposite of SQL/most languages). Use parentheses in complex expressions.
2Space between terms = implicit AND. 'failed login' = 'failed AND login'.
3top(field, limit=N) counts and ranks in one step — do not add groupBy before it.
4timeChart(span=1d) for time trends. groupBy() for category counts.
5CPS field examples: source.ip, destination.ip, user.name, event.action, host.name, file.hash.sha256.
6AND/OR do NOT work with function calls. Use pipes to chain functions.
Domain 225% of exam

Detection Logic and Alert Analysis

Must-Know Facts

  • Three detection types in Falcon Next-Gen SIEM: (1) First-party detections from CrowdStrike modules (EDR, Identity Protection, Cloud Security) — richest context; (2) Third-party passthrough detections forwarded from external tools — limited context; (3) Correlation rule detections generated by CQL-based rules — context depends on what the rule queries.
  • First-party detections include full process trees, parent-child process relationships, device context, user identity, and CrowdStrike threat intelligence enrichment automatically — no additional work by the analyst required.
  • Correlation rules are persistent CQL-based detection logic that run continuously against incoming data and auto-generate alerts. They are NOT the same as ad-hoc CQL search queries run by analysts.
  • MITRE ATT&CK tactics represent adversary GOALS (what they are trying to achieve). Techniques represent specific METHODS used to accomplish those goals. One tactic can have many techniques.
  • The 14 MITRE ATT&CK enterprise tactics per the CCSA exam guide (Jan 2026, pre-v19): Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Note: ATT&CK v19 (Apr 2026) split Defense Evasion into Stealth and Defense Impairment, making 15 tactics — expect the exam to use the older 14-tactic model until the guide is revised.
  • Alert metadata: Severity = potential impact if the threat is real. Confidence = likelihood the detection is a true positive. Both dimensions must be used together for triage prioritization.
  • High severity + high confidence = investigate immediately. High severity + low confidence = investigate to validate before escalating. Low severity + high confidence = confirmed but lower priority. Low severity + low confidence = lowest priority.
  • False positive analysis requires context: the same activity (encoded PowerShell, admin tool usage, mass file operations) can be malicious from an unknown user and entirely legitimate from a known admin in a scheduled task.
  • Out-of-the-box (OOB) correlation rules are CrowdStrike-provided rules mapped to MITRE ATT&CK and threat actor groups. Custom correlation rules are organization-defined. Both use CQL.

Common Traps

TrapThird-party passthrough detections provide the same investigation context as first-party detections
RealityThird-party passthrough detections are forwarded alerts from external tools (firewalls, other EDR products, email gateways). They carry only what that external tool provides — often limited to basic alert fields without process trees, parent-child relationships, or CrowdStrike threat intelligence. First-party detections are vastly richer.
TrapCorrelation rules and CrowdStrike's native Indicators of Attack (IOA) detections are the same thing
RealityCorrelation rules are CQL-based rules written by SIEM engineers — they are configurable, custom, and user-maintained. IOA detections come from CrowdStrike's own detection engine, trained on global threat intelligence and behavioral models. They are separate detection sources with different origins and levels of CrowdStrike backing.
TrapA detection mapped to 'Exfiltration' (high-severity ATT&CK tactic) should always be treated as a confirmed incident
RealityTactic severity must be combined with confidence score. A high-severity tactic mapping with low confidence means the detection logic is uncertain — investigate to validate before treating as confirmed. Confidence tells you how much to trust the detection; tactic tells you the potential impact.
TrapMITRE ATT&CK technique IDs (like T1059) uniquely identify a single attack method
RealityMany techniques have sub-techniques (e.g., T1059.001 = PowerShell, T1059.003 = Windows Command Shell). The exam may reference either the parent technique or a specific sub-technique — know that a technique can cover multiple specific tools or methods.
TrapFalse positive = low confidence detection, so low confidence alerts can be dismissed
RealityLow confidence means the detection logic has uncertainty, not that the activity is definitely benign. Low confidence detections still require context-based evaluation. A low confidence alert for a high-severity behavior warrants investigation, not dismissal.

Confusing Pairs

First-Party Detections (Falcon EDR/Identity/Cloud)Third-Party Passthrough Detections

First-party = generated by CrowdStrike Falcon modules. Includes full process trees, user identity, threat intel, ATT&CK mapping. Best starting point for triage. Third-party = alerts forwarded from external tools into Falcon SIEM. Limited to what the external tool provides. May need correlation with additional data sources to reach investigation depth equivalent to first-party.

IOCs (Indicators of Compromise)IOAs (Indicators of Attack)

IOCs = static, evidence-based artifacts: known-bad IPs, file hashes, domains, URLs. Reactive — they match known malicious fingerprints. IOAs = behavioral, dynamic patterns: sequences of suspicious actions that suggest an attack in progress regardless of tools used. Proactive — detect novel attacks. Falcon's first-party detection engine runs on IOAs. IOCs are used for threat enrichment and correlation matching.

Severity (Alert Metadata)Confidence (Alert Metadata)

Severity = potential damage if the alert is a real threat (Critical/High/Medium/Low). Confidence = probability the alert is a true positive (High/Medium/Low). A Critical severity + Low confidence detection should be investigated but not immediately escalated. High confidence + Medium severity should be acted on, but with proportional response. Never triage on one dimension alone.

MITRE ATT&CK TacticMITRE ATT&CK Technique

Tactic = the adversary's GOAL at that phase (e.g., Persistence = the goal of maintaining access). Technique = the specific METHOD used to achieve that goal (e.g., T1543 Create or Modify System Process = one way to achieve Persistence). One tactic maps to many techniques. Falcon maps detections to both — the tactic tells you the adversary goal, the technique tells you the specific behavior observed.

Correlation Rule DetectionCQL Search Query

Correlation rule = persistent, always-running detection logic that automatically generates alerts when conditions are met. Built by SIEM engineers. CQL search query = on-demand investigation tool run manually by analysts. No persistent monitoring, no automatic alerts. Both use CQL syntax — the difference is execution mode, not query language.

Scenario Tips

If the question asks about:

Three detections arrive for the same host: a first-party EDR detection, a third-party firewall passthrough, and a correlation rule detection. Which provides the richest initial triage context?

Answer:

The first-party EDR detection. It includes process trees, parent-child relationships, user identity, and CrowdStrike threat intelligence enrichment automatically.

Distractor to avoid:

Correlation rule detections seem thorough because they were deliberately designed, but their context depth depends entirely on what data sources the rule queries. Third-party passthrough has the least context by default.

If the question asks about:

A detection is mapped to MITRE ATT&CK tactic 'Persistence' with HIGH severity but LOW confidence. How should an analyst prioritize this?

Answer:

Investigate with medium priority to validate whether the activity is genuinely malicious before escalating. High severity means high potential impact IF real; low confidence means uncertain detection logic.

Distractor to avoid:

Do not immediately escalate (ignores low confidence) and do not dismiss (ignores high potential impact). The correct action is validation through investigation.

If the question asks about:

An analyst sees multiple failed logins followed immediately by a successful login from the same IP. Which MITRE ATT&CK technique does this pattern most closely match?

Answer:

T1110 Brute Force (under Credential Access tactic). The pattern of repeated failures + eventual success is the defining signature of brute force.

Distractor to avoid:

Credential Dumping (T1003) extracts credentials from memory — no login attempts involved. Pass-the-Hash (T1550.002) uses a stolen hash value directly — no repeated login failures. Phishing is not a login pattern at all.

If the question asks about:

When evaluating a PowerShell encoded command detection, an analyst must determine if it is a false positive. What information is MOST critical?

Answer:

Context: who is the user, what is their role, is this activity expected (e.g., IT admin during patch window), and what was the parent process. Encoded PowerShell from a known admin in a scheduled task is very different from an unknown user mid-business-day.

Distractor to avoid:

The encoded command itself cannot determine false positive status — the same technique can be malicious or legitimate. Context about the user, system, and timing is what distinguishes them.

Last-Minute Facts

13 detection types: first-party (richest context), third-party passthrough (limited context), correlation rule (variable context).
2Severity = impact if real. Confidence = probability it is real. Use BOTH for triage priority.
3IOC = static known-bad artifact. IOA = behavioral attack pattern. Falcon engine detects via IOAs.
4MITRE ATT&CK: the CCSA exam guide (Jan 2026) references 14 enterprise tactics. ATT&CK v19 (Apr 2026) split Defense Evasion into Stealth (TA0005) and Defense Impairment (TA0112), raising the count to 15 — exam questions may still use the old 14-tactic terminology. Persistence tactic = T1053 (Scheduled Task), T1543 (System Service), etc.
5OOB correlation rules = CrowdStrike-provided. Custom rules = organization-defined. Both use CQL.
6First-party detection context: full process tree + user identity + CrowdStrike threat intel (automatic, no analyst effort needed).
Domain 340% of exam

Incident Investigation

Must-Know Facts

  • Event chain construction requires MULTIPLE data sources. An investigation relying on only one source (e.g., only endpoint logs) is incomplete — the exam consistently tests whether you know which additional sources to add for complete correlation.
  • The standard data source correlation stack for lateral movement confirmation: authentication logs (showing the login on the target) + network connection logs (showing the source initiating the connection). Both are required; either alone is insufficient.
  • Lateral movement = attacker moving BETWEEN systems. Indicators: RDP/SSH sessions to previously uncontacted hosts, WMI/PsExec execution, network share access, pass-the-hash/pass-the-ticket authentication patterns.
  • Persistence = attacker maintaining access ON a system. Indicators: scheduled task creation, registry Run key modification, new Windows service installation, startup folder files, cron job creation, web shell deployment.
  • Privilege escalation = attacker gaining higher permissions ON a system they already control. Indicators: LSASS memory access (credential dumping), token manipulation, local vulnerability exploitation, new admin account creation, UAC bypass techniques.
  • Lateral movement and privilege escalation often happen in sequence: escalate privileges on host A → steal credentials → use credentials to authenticate on host B (lateral movement). They are distinct ATT&CK tactics but are commonly chained.
  • Observable pivoting: start from a detection → expand to related observables. IP → related DNS queries, network connections. User account → all authentication events, file access. File hash → process creation events, all hosts where it ran. Host → all processes, network connections, user logins.
  • Impossible travel: a login from City A followed by a login from City B where the travel time is physically impossible (e.g., New York → Tokyo in 25 minutes) is a strong indicator of credential compromise, not VPN or dual-device use.
  • Contextual data enrichment: geolocation identifies impossible travel and foreign infrastructure. IP reputation identifies known threat actor infrastructure. TTP mapping links activity to specific threat groups or campaigns.
  • Falcon Fusion SOAR: analysts UTILIZE existing SOAR workflows for automated containment (host isolation, user lockout, malware quarantine). Analysts do NOT build SOAR workflows during an investigation — that is an engineer (CCSE) task.
  • Response recommendation must match confirmed evidence severity. Containing a host without confirming malicious activity disrupts legitimate business operations. The exam tests proportional response, not maximum response.
  • Data retention limits investigation scope. If an incident started 45 days ago but logs only go back 30 days, that 15-day gap cannot be reconstructed — the investigation timeline has a hard boundary.
  • Severity and scope assessment: number of affected hosts, sensitivity of compromised accounts (standard user vs. privileged admin), data accessed or exfiltrated, and attacker capabilities demonstrated all factor into severity rating.

Common Traps

TrapAfter finding a compromised host with active C2 communication, document it first and continue monitoring
RealityActive C2 communication is an ongoing threat — immediate containment using an existing Falcon Fusion SOAR workflow is the correct action. Documentation happens alongside or after containment, not instead of it. Continuing to monitor while a host calls home allows the attacker to continue operating.
TrapGeolocation inconsistency (two logins from geographically distant locations) could be explained by VPN or dual devices
RealityFor the CCSA exam, impossible travel (physically impossible time gap between logins from distant cities) = credential compromise indicator. VPN and dual devices are mentioned as possible explanations to test whether you dismiss the finding — the exam expects you to treat impossible travel as suspicious and investigate, not dismiss.
TrapFalcon Fusion SOAR workflows should be built on the fly to respond to novel attack patterns
RealitySOAR workflows are predefined playbooks built by SIEM engineers (CCSE role). CCSA analysts USE existing workflows for containment. The exam tests whether you know the analyst role (use workflows) vs the engineer role (build workflows). An analyst should not be building SOAR workflows during an active investigation.
TrapA single data source showing suspicious activity is enough to confirm lateral movement
RealityConfirming lateral movement requires corroborating evidence from multiple sources: network logs showing the connection was initiated AND authentication logs showing it succeeded on the target host. One source is insufficient — the exam tests multi-source correlation for investigation conclusions.
TrapWhen data retention has expired for part of the investigation timeline, the incident cannot be investigated
RealityExpired logs limit timeline reconstruction but do not end the investigation. Analysts work with available data and note the retention boundary as a gap in findings. Some evidence (file artifacts, registry changes, running processes) may persist on hosts even after log retention expires.
TrapLateral movement and persistence are the same because both happen after initial compromise
RealityBoth are post-compromise but serve different adversary goals. Lateral movement (TA0008) = spreading across the network to reach high-value targets. Persistence (TA0003) = ensuring the attacker maintains access if credentials change or systems reboot. They can happen in any order and are separate ATT&CK tactics.

Confusing Pairs

Lateral Movement (TA0008)Privilege Escalation (TA0004)

Lateral movement = moving ACROSS systems to reach new targets. Privilege escalation = gaining HIGHER access ON a system already compromised. Lateral movement indicators: remote logins to new hosts, RDP/SSH sessions, pass-the-hash. Privilege escalation indicators: LSASS dumping, token manipulation, new admin account creation. Both are post-compromise; they address different adversary objectives.

Host Containment (via SOAR)Manual Investigation (CQL + Pivoting)

Host containment = automated Falcon Fusion SOAR workflow that isolates a compromised host from the network immediately. Appropriate for confirmed active threats (e.g., active C2 communication). Manual investigation = analyst-driven CQL querying, observable pivoting, and evidence correlation. Required for ambiguous or complex scenarios before drawing conclusions. Do not contain without confirming; do not keep investigating when containment is clearly needed.

Persistence IndicatorsPrivilege Escalation Indicators

Persistence = maintaining access through system changes: new scheduled tasks, registry Run keys, service installations, startup folder entries, web shells. Privilege escalation = gaining higher permissions: LSASS access, Mimikatz execution, token impersonation, new admin account creation, UAC bypass. If a service is created, that is persistence (T1543). If the service runs with SYSTEM privileges obtained through an exploit, that is privilege escalation (T1068).

IOC-Based InvestigationContextual Data Enrichment

IOC investigation = looking up known-bad indicators (IP, hash, domain) against threat intelligence to identify known malicious infrastructure. Contextual enrichment = adding situational context: geolocation for impossible travel detection, IP reputation for infrastructure assessment, TTP mapping for threat actor attribution. IOCs tell you 'this is known bad'. Context tells you 'this behavior is suspicious in this environment'.

Scenario Tips

If the question asks about:

An analyst finds a user logged in from New York at 09:00 UTC, then the same account logged in from Tokyo at 09:25 UTC. What is the correct conclusion?

Answer:

This is an impossible travel scenario indicating likely credential compromise. Physical travel between New York and Tokyo takes approximately 14 hours — a 25-minute gap is physically impossible. Treat this as a credential compromise indicator and investigate further (check for MFA bypass, password spray patterns, geographic anomalies).

Distractor to avoid:

VPN is the most tempting distractor — but the exam expects you to recognize impossible travel as a red flag requiring investigation, not a simple explanation to dismiss. Multiple devices is another common distractor, but cannot explain a 25-minute gap across 14 hours of physical travel time.

If the question asks about:

An analyst discovers active C2 communication from a confirmed compromised host. What is the MOST appropriate immediate action?

Answer:

Use an existing Falcon Fusion SOAR workflow to contain the host (isolate from network). Active C2 = confirmed threat, immediate containment required to stop attacker operations.

Distractor to avoid:

Documenting and continuing to monitor allows the attacker to continue operating through an active C2 channel. Creating a new correlation rule addresses future detection, not the current active threat. Emailing the user to disconnect is too slow for time-critical containment of a confirmed active compromise.

If the question asks about:

An analyst needs to confirm lateral movement from Server-A to Server-B. Which data sources should be correlated?

Answer:

Authentication logs from Server-B (showing the login event) AND network connection logs showing Server-A initiated the connection to Server-B. Both are needed: network logs confirm the connection was made; auth logs confirm it resulted in successful access.

Distractor to avoid:

Network logs alone (firewall) show traffic but not whether login succeeded. Authentication logs alone do not prove which host initiated the connection. Antivirus logs miss fileless techniques. Email/DNS logs are irrelevant for server-to-server lateral movement.

If the question asks about:

During investigation, an analyst finds a new Windows service created outside any approved change window, running a binary from a temp directory. Which ATT&CK tactic does this represent?

Answer:

Persistence (TA0003), specifically T1543.003 Create or Modify System Process: Windows Service. Services running malicious binaries auto-start on reboot — classic persistence technique.

Distractor to avoid:

Initial Access (TA0001) is how the attacker first entered — the service already implies they are inside. Lateral Movement (TA0008) is about moving between systems. Exfiltration (TA0010) involves data theft. A service creation is definitively persistence.

If the question asks about:

An analyst is investigating an incident where logs only go back 30 days but the attack appears to have started 45 days ago. How should this affect the investigation?

Answer:

Document the retention boundary as a gap in the investigation timeline. Continue investigating with available 30 days of data. Note that the initial compromise and early attacker activity cannot be reconstructed from logs — check for persistent artifacts on hosts (files, registry keys, processes) that may predate log availability.

Distractor to avoid:

Do not conclude the incident is uninvestigable — available data can still reveal current attacker presence and recent activity. Do not escalate solely due to the data gap — it is a limitation to document, not a finding itself.

If the question asks about:

An analyst finds evidence that an attacker used Mimikatz-like behavior to access LSASS memory. Which ATT&CK technique does this represent?

Answer:

T1003.001 OS Credential Dumping: LSASS Memory (under Credential Access tactic, TA0006). LSASS holds credential material — accessing it is the primary method of credential dumping.

Distractor to avoid:

This is NOT privilege escalation (TA0004) — credential dumping extracts credentials for later use (pass-the-hash, lateral movement). It is NOT Execution (TA0002) — Mimikatz itself is a tool, but the tactic is about what the tool achieves. Know that credential dumping feeds subsequent lateral movement.

Last-Minute Facts

1Incident Investigation = 40% of exam = approximately 24 of 60 questions. This is where you pass or fail.
2Lateral movement evidence requires: network connection logs (source → target) AND authentication logs (successful login on target). Both. Always both.
3Impossible travel threshold for exam: minutes apart between continents = credential compromise indicator, not VPN explanation.
4SOAR role: analyst USES existing workflows. Engineer BUILDS workflows. CCSA = use, not build.
5Persistence indicators: scheduled tasks, Run registry keys, new services, startup folder entries, web shells, cron jobs.
6Privilege escalation indicators: LSASS access, Mimikatz, token manipulation, new admin account, UAC bypass.
7ATT&CK tactic order (post-compromise): Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → C2 → Exfiltration.
8Response must match confirmed evidence. Contain only when malicious activity is confirmed (or active C2 detected).
9Data retention limits timelines — document the gap, do not halt the investigation.
Domain 410% of exam

Reporting and Communication

Must-Know Facts

  • Case Management is the designated tool for documenting investigation results: attaching related detections, adding analyst notes, recording timeline findings, and creating a traceable investigation record. It is for DOCUMENTATION after investigation, not detection.
  • Aggregation-based visualizations (using groupBy, stats, top, timeChart) are required for communicating data to non-technical stakeholders — raw query results are not appropriate for leadership reporting.
  • timeChart(span=1d) is the correct CQL function for trend analysis over time (e.g., attack volume over 90 days). groupBy shows category counts; timeChart shows how counts change over time.
  • Executive reporting must translate technical findings into business impact: financial risk, operational disruption, regulatory exposure, and recommended actions — not ATT&CK technique IDs and process tree details.
  • Dashboard visualizations serve different purposes: time series charts for trends, bar/column charts for comparative counts, geographic maps for location-based analysis, and tables for detailed event lists.
  • Case Management aggregates investigation evidence (detections, notes, findings) but does NOT create new detection rules or configure alert policies — it is purely a documentation and communication tool.

Common Traps

TrapCase Management is used for active threat monitoring and real-time detection management
RealityCase Management is an investigation documentation tool. It aggregates findings, detections, and analyst notes into organized cases for tracking and communication. It does not generate alerts, run queries continuously, or replace detection tools. It is used AFTER investigation activities produce findings.
TrapSharing raw CQL query results with executive leadership is sufficient for incident reporting
RealityRaw query results contain technical field names, log formats, and data that are meaningless to non-technical executives. Effective leadership reporting requires a narrative summary: incident timeline, business impact, actions taken, and recommended next steps — in plain language.
TrapA dashboard showing attack counts is always the best reporting tool for leadership
RealityThe best visualization depends on what question the stakeholder needs answered. Volume over time = timeChart. Comparison between categories = bar chart/groupBy. Geographic distribution = map. The exam tests matching visualization type to the specific reporting requirement, not defaulting to one visualization type.

Confusing Pairs

Case ManagementCorrelation Rules

Case Management = documentation tool for recording investigation findings, attaching detections, and tracking investigation progress. Used by analysts to document completed investigations. Correlation rules = active detection logic that monitors incoming data and generates alerts. Used by engineers to create persistent detection. Case Management records what happened; correlation rules detect when something is happening.

Reporting Dashboard (Trend Analysis)Monitoring Dashboard (Real-Time Alerting)

Reporting dashboards = aggregation-based visualizations showing historical trends and anomalies over defined time periods. Used for communication and strategic decisions. Monitoring dashboards = real-time views of current detection and alert status. Used for day-to-day SOC operations. The Reporting and Communication domain tests reporting dashboards, not monitoring dashboards.

Scenario Tips

If the question asks about:

After completing a phishing investigation that compromised three accounts, the analyst needs to document all findings. Which tool is appropriate?

Answer:

Case Management. Attach the related detections, record the investigation timeline, note analyst findings, and document the confirmed compromise scope and remediation actions taken.

Distractor to avoid:

Creating a correlation rule detects future phishing — it does not document the current investigation. A CQL query retrieves data but does not capture the investigation narrative or analyst conclusions. A dashboard visualizes aggregate data but cannot store investigation notes or serve as an investigation record.

If the question asks about:

A SOC manager requests a visual showing how the daily volume of brute force detections has changed over the past 90 days.

Answer:

Use timeChart(span=1d, function=count()) filtered on brute force detections. This produces a time-series chart showing how daily attack volume increases, decreases, or spikes across the 90-day window.

Distractor to avoid:

groupBy(source.ip) shows which IPs are attacking most — not time-based trends. stats(count()) returns a single number with no temporal dimension. top(source.ip) ranks attackers but does not show trend over time.

If the question asks about:

An analyst must present ransomware incident findings to the CISO and board. Which communication approach is MOST effective?

Answer:

Summarize in business terms: incident timeline, systems affected, data at risk, actions already taken, estimated recovery timeline, and recommended next steps for prevention. Use plain language — avoid ATT&CK IDs and technical log details.

Distractor to avoid:

Sharing raw CQL query outputs is incomprehensible to executives who do not understand field names and log formats. A full ATT&CK technique breakdown is valuable for security teams but too technical for boards and CISOs. Sending the full Case Management log with all analyst notes is too granular — executives need a narrative summary, not every investigative detail.

Last-Minute Facts

1Case Management = investigation documentation tool. NOT a detection tool. NOT a real-time monitoring tool.
2timeChart(span=1d) = time-series trend. groupBy() = category count. Never confuse them on trend questions.
3Executive reporting = business impact summary (risk, disruption, recommendations). Not raw data. Not ATT&CK IDs.
4Case Management attaches: related detections, analyst notes, investigation findings, remediation records.
5Visualization match: trends over time → timeChart. Category comparison → bar chart/groupBy. Geographic distribution → map.

Feeling confident?

Put your knowledge to the test with a timed CCSA-205 mock exam.