General Exam Tips
- 1.The passing score is 80% — you can only miss about 12 of 60 questions. Approach every question as if it could be the one that makes or breaks your pass.
- 2.Read ALL answer options before choosing. Many distractors are nearly correct but apply the right concept to the wrong scenario or use the right tool at the wrong step.
- 3.Incident Investigation (40%) alone is 24 questions. If you run out of preparation time, prioritize this domain above all others.
- 4.Scenario questions always embed the key discriminator in the constraint clause — phrases like 'across both data sources', 'immediately', 'first', or 'MOST appropriate' determine which answer is correct.
- 5.When a question asks what to do FIRST, eliminate escalation and automation answers — investigation must come before action unless the threat is already confirmed and active.
- 6.When choosing between CPS normalized fields vs vendor-specific fields in a query, the constraint 'across multiple data sources' always means use CPS fields.
- 7.If two answers use the same tool, look at WHEN that tool is used — Case Management is for documenting after investigation, not during initial detection triage.
- 8.Flag hard questions and move on. There is no penalty for wrong answers — always answer every question, even if guessing.
- 9.Time management: 90 minutes for 60 questions = 90 seconds per question average. Scenario questions take longer — keep moving.
- 10.The exam tests analyst judgment, not memorization. For each scenario, ask yourself: what would a SOC analyst actually do first before taking action?
Quick Navigation
Querying and Analytics
Must-Know Facts
- CQL uses pipe syntax to chain operations left-to-right. Filters come first, then functions. You cannot place a function before its input filter in the same stage.
- OR binds closer (higher precedence) than AND in CQL — the opposite of most programming languages and SQL. Without parentheses, 'a AND b OR c' evaluates as 'a AND (b OR c)', not '(a AND b) OR c'.
- AND and OR operators cannot be used directly with CQL functions — use pipes to chain function calls instead of boolean operators between them.
- The top() function handles counting and ranking internally. Piping groupBy() before top() is redundant — top() already counts. This is a common error in exam CQL answer options.
- CrowdStrike Parsing Standard (CPS) normalized fields (e.g., source.ip, user.name, event.action, destination.port) work across ALL data sources. Vendor-specific field names only work for their specific source.
- timeChart() is the correct function for time-series trend visualizations. groupBy() produces counts by category, not by time. For 'show me volume over time' scenarios, timeChart is the answer.
- Free-text search matches raw log text across all fields. Field-specific filtering (field=value) is more precise and performant. Both have exam scenarios — match the approach to the requirement.
- The field existence check pattern: 'fieldname = *' matches events where the field exists. 'fieldname != *' matches events where it does not. This is non-obvious CQL syntax that appears in query construction questions.
- Pivoting in CQL means taking a value from one result and using it to construct a new query against a different data source — the investigation technique of following observable connections through different log repositories.
- Implicit AND: space-separated terms in CQL are joined with AND. 'failed login' is equivalent to 'failed AND login' — know this when interpreting provided query snippets in exam questions.
Common Traps
Confusing Pairs
Scenario Tips
The question asks for a query that works across firewall logs AND identity provider logs without writing separate queries for each source.
Use CPS normalized field names (source.ip, event.action, user.name). CPS normalization means the same field name resolves correctly from both data sources.
Writing separate queries per source is inefficient and does not correlate the data. Using vendor-specific fields breaks when applied to the other source.
A manager wants a visualization showing how the volume of failed login attempts has changed over the past 30 days.
Use timeChart(span=1d, function=count()) filtered on failed authentication events. This produces the time-series trend view the manager needs.
groupBy(source.ip) shows which IPs are attacking most, not how volume changed over time. stats(count()) returns a single total, losing all temporal information.
An analyst runs a query and sees a host connecting to 50 unique external IPs in 5 minutes. What should the analyst do FIRST?
Pivot on the host to investigate the nature of those connections — check destination IPs, ports, processes, and whether the host role (web server, CDN node, etc.) explains the behavior.
Immediately containing the host (SOAR) assumes malicious intent before confirming it. Creating a correlation rule addresses future detection, not the current finding.
A query requires combining two filter functions: regex(/pattern/) and checking if a field value is in a list.
Use pipes: regex(/pattern/) | in(field, values=[...]). CQL functions cannot be combined with AND/OR operators — use pipe chaining.
regex(/pattern/) AND in(field, values=[...]) is a syntax error in CQL. This trap is specifically called out in CQL documentation.
Last-Minute Facts
Detection Logic and Alert Analysis
Must-Know Facts
- Three detection types in Falcon Next-Gen SIEM: (1) First-party detections from CrowdStrike modules (EDR, Identity Protection, Cloud Security) — richest context; (2) Third-party passthrough detections forwarded from external tools — limited context; (3) Correlation rule detections generated by CQL-based rules — context depends on what the rule queries.
- First-party detections include full process trees, parent-child process relationships, device context, user identity, and CrowdStrike threat intelligence enrichment automatically — no additional work by the analyst required.
- Correlation rules are persistent CQL-based detection logic that run continuously against incoming data and auto-generate alerts. They are NOT the same as ad-hoc CQL search queries run by analysts.
- MITRE ATT&CK tactics represent adversary GOALS (what they are trying to achieve). Techniques represent specific METHODS used to accomplish those goals. One tactic can have many techniques.
- The 14 MITRE ATT&CK enterprise tactics per the CCSA exam guide (Jan 2026, pre-v19): Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Note: ATT&CK v19 (Apr 2026) split Defense Evasion into Stealth and Defense Impairment, making 15 tactics — expect the exam to use the older 14-tactic model until the guide is revised.
- Alert metadata: Severity = potential impact if the threat is real. Confidence = likelihood the detection is a true positive. Both dimensions must be used together for triage prioritization.
- High severity + high confidence = investigate immediately. High severity + low confidence = investigate to validate before escalating. Low severity + high confidence = confirmed but lower priority. Low severity + low confidence = lowest priority.
- False positive analysis requires context: the same activity (encoded PowerShell, admin tool usage, mass file operations) can be malicious from an unknown user and entirely legitimate from a known admin in a scheduled task.
- Out-of-the-box (OOB) correlation rules are CrowdStrike-provided rules mapped to MITRE ATT&CK and threat actor groups. Custom correlation rules are organization-defined. Both use CQL.
Common Traps
Confusing Pairs
Scenario Tips
Three detections arrive for the same host: a first-party EDR detection, a third-party firewall passthrough, and a correlation rule detection. Which provides the richest initial triage context?
The first-party EDR detection. It includes process trees, parent-child relationships, user identity, and CrowdStrike threat intelligence enrichment automatically.
Correlation rule detections seem thorough because they were deliberately designed, but their context depth depends entirely on what data sources the rule queries. Third-party passthrough has the least context by default.
A detection is mapped to MITRE ATT&CK tactic 'Persistence' with HIGH severity but LOW confidence. How should an analyst prioritize this?
Investigate with medium priority to validate whether the activity is genuinely malicious before escalating. High severity means high potential impact IF real; low confidence means uncertain detection logic.
Do not immediately escalate (ignores low confidence) and do not dismiss (ignores high potential impact). The correct action is validation through investigation.
An analyst sees multiple failed logins followed immediately by a successful login from the same IP. Which MITRE ATT&CK technique does this pattern most closely match?
T1110 Brute Force (under Credential Access tactic). The pattern of repeated failures + eventual success is the defining signature of brute force.
Credential Dumping (T1003) extracts credentials from memory — no login attempts involved. Pass-the-Hash (T1550.002) uses a stolen hash value directly — no repeated login failures. Phishing is not a login pattern at all.
When evaluating a PowerShell encoded command detection, an analyst must determine if it is a false positive. What information is MOST critical?
Context: who is the user, what is their role, is this activity expected (e.g., IT admin during patch window), and what was the parent process. Encoded PowerShell from a known admin in a scheduled task is very different from an unknown user mid-business-day.
The encoded command itself cannot determine false positive status — the same technique can be malicious or legitimate. Context about the user, system, and timing is what distinguishes them.
Last-Minute Facts
Incident Investigation
Must-Know Facts
- Event chain construction requires MULTIPLE data sources. An investigation relying on only one source (e.g., only endpoint logs) is incomplete — the exam consistently tests whether you know which additional sources to add for complete correlation.
- The standard data source correlation stack for lateral movement confirmation: authentication logs (showing the login on the target) + network connection logs (showing the source initiating the connection). Both are required; either alone is insufficient.
- Lateral movement = attacker moving BETWEEN systems. Indicators: RDP/SSH sessions to previously uncontacted hosts, WMI/PsExec execution, network share access, pass-the-hash/pass-the-ticket authentication patterns.
- Persistence = attacker maintaining access ON a system. Indicators: scheduled task creation, registry Run key modification, new Windows service installation, startup folder files, cron job creation, web shell deployment.
- Privilege escalation = attacker gaining higher permissions ON a system they already control. Indicators: LSASS memory access (credential dumping), token manipulation, local vulnerability exploitation, new admin account creation, UAC bypass techniques.
- Lateral movement and privilege escalation often happen in sequence: escalate privileges on host A → steal credentials → use credentials to authenticate on host B (lateral movement). They are distinct ATT&CK tactics but are commonly chained.
- Observable pivoting: start from a detection → expand to related observables. IP → related DNS queries, network connections. User account → all authentication events, file access. File hash → process creation events, all hosts where it ran. Host → all processes, network connections, user logins.
- Impossible travel: a login from City A followed by a login from City B where the travel time is physically impossible (e.g., New York → Tokyo in 25 minutes) is a strong indicator of credential compromise, not VPN or dual-device use.
- Contextual data enrichment: geolocation identifies impossible travel and foreign infrastructure. IP reputation identifies known threat actor infrastructure. TTP mapping links activity to specific threat groups or campaigns.
- Falcon Fusion SOAR: analysts UTILIZE existing SOAR workflows for automated containment (host isolation, user lockout, malware quarantine). Analysts do NOT build SOAR workflows during an investigation — that is an engineer (CCSE) task.
- Response recommendation must match confirmed evidence severity. Containing a host without confirming malicious activity disrupts legitimate business operations. The exam tests proportional response, not maximum response.
- Data retention limits investigation scope. If an incident started 45 days ago but logs only go back 30 days, that 15-day gap cannot be reconstructed — the investigation timeline has a hard boundary.
- Severity and scope assessment: number of affected hosts, sensitivity of compromised accounts (standard user vs. privileged admin), data accessed or exfiltrated, and attacker capabilities demonstrated all factor into severity rating.
Common Traps
Confusing Pairs
Scenario Tips
An analyst finds a user logged in from New York at 09:00 UTC, then the same account logged in from Tokyo at 09:25 UTC. What is the correct conclusion?
This is an impossible travel scenario indicating likely credential compromise. Physical travel between New York and Tokyo takes approximately 14 hours — a 25-minute gap is physically impossible. Treat this as a credential compromise indicator and investigate further (check for MFA bypass, password spray patterns, geographic anomalies).
VPN is the most tempting distractor — but the exam expects you to recognize impossible travel as a red flag requiring investigation, not a simple explanation to dismiss. Multiple devices is another common distractor, but cannot explain a 25-minute gap across 14 hours of physical travel time.
An analyst discovers active C2 communication from a confirmed compromised host. What is the MOST appropriate immediate action?
Use an existing Falcon Fusion SOAR workflow to contain the host (isolate from network). Active C2 = confirmed threat, immediate containment required to stop attacker operations.
Documenting and continuing to monitor allows the attacker to continue operating through an active C2 channel. Creating a new correlation rule addresses future detection, not the current active threat. Emailing the user to disconnect is too slow for time-critical containment of a confirmed active compromise.
An analyst needs to confirm lateral movement from Server-A to Server-B. Which data sources should be correlated?
Authentication logs from Server-B (showing the login event) AND network connection logs showing Server-A initiated the connection to Server-B. Both are needed: network logs confirm the connection was made; auth logs confirm it resulted in successful access.
Network logs alone (firewall) show traffic but not whether login succeeded. Authentication logs alone do not prove which host initiated the connection. Antivirus logs miss fileless techniques. Email/DNS logs are irrelevant for server-to-server lateral movement.
During investigation, an analyst finds a new Windows service created outside any approved change window, running a binary from a temp directory. Which ATT&CK tactic does this represent?
Persistence (TA0003), specifically T1543.003 Create or Modify System Process: Windows Service. Services running malicious binaries auto-start on reboot — classic persistence technique.
Initial Access (TA0001) is how the attacker first entered — the service already implies they are inside. Lateral Movement (TA0008) is about moving between systems. Exfiltration (TA0010) involves data theft. A service creation is definitively persistence.
An analyst is investigating an incident where logs only go back 30 days but the attack appears to have started 45 days ago. How should this affect the investigation?
Document the retention boundary as a gap in the investigation timeline. Continue investigating with available 30 days of data. Note that the initial compromise and early attacker activity cannot be reconstructed from logs — check for persistent artifacts on hosts (files, registry keys, processes) that may predate log availability.
Do not conclude the incident is uninvestigable — available data can still reveal current attacker presence and recent activity. Do not escalate solely due to the data gap — it is a limitation to document, not a finding itself.
An analyst finds evidence that an attacker used Mimikatz-like behavior to access LSASS memory. Which ATT&CK technique does this represent?
T1003.001 OS Credential Dumping: LSASS Memory (under Credential Access tactic, TA0006). LSASS holds credential material — accessing it is the primary method of credential dumping.
This is NOT privilege escalation (TA0004) — credential dumping extracts credentials for later use (pass-the-hash, lateral movement). It is NOT Execution (TA0002) — Mimikatz itself is a tool, but the tactic is about what the tool achieves. Know that credential dumping feeds subsequent lateral movement.
Last-Minute Facts
Reporting and Communication
Must-Know Facts
- Case Management is the designated tool for documenting investigation results: attaching related detections, adding analyst notes, recording timeline findings, and creating a traceable investigation record. It is for DOCUMENTATION after investigation, not detection.
- Aggregation-based visualizations (using groupBy, stats, top, timeChart) are required for communicating data to non-technical stakeholders — raw query results are not appropriate for leadership reporting.
- timeChart(span=1d) is the correct CQL function for trend analysis over time (e.g., attack volume over 90 days). groupBy shows category counts; timeChart shows how counts change over time.
- Executive reporting must translate technical findings into business impact: financial risk, operational disruption, regulatory exposure, and recommended actions — not ATT&CK technique IDs and process tree details.
- Dashboard visualizations serve different purposes: time series charts for trends, bar/column charts for comparative counts, geographic maps for location-based analysis, and tables for detailed event lists.
- Case Management aggregates investigation evidence (detections, notes, findings) but does NOT create new detection rules or configure alert policies — it is purely a documentation and communication tool.
Common Traps
Confusing Pairs
Scenario Tips
After completing a phishing investigation that compromised three accounts, the analyst needs to document all findings. Which tool is appropriate?
Case Management. Attach the related detections, record the investigation timeline, note analyst findings, and document the confirmed compromise scope and remediation actions taken.
Creating a correlation rule detects future phishing — it does not document the current investigation. A CQL query retrieves data but does not capture the investigation narrative or analyst conclusions. A dashboard visualizes aggregate data but cannot store investigation notes or serve as an investigation record.
A SOC manager requests a visual showing how the daily volume of brute force detections has changed over the past 90 days.
Use timeChart(span=1d, function=count()) filtered on brute force detections. This produces a time-series chart showing how daily attack volume increases, decreases, or spikes across the 90-day window.
groupBy(source.ip) shows which IPs are attacking most — not time-based trends. stats(count()) returns a single number with no temporal dimension. top(source.ip) ranks attackers but does not show trend over time.
An analyst must present ransomware incident findings to the CISO and board. Which communication approach is MOST effective?
Summarize in business terms: incident timeline, systems affected, data at risk, actions already taken, estimated recovery timeline, and recommended next steps for prevention. Use plain language — avoid ATT&CK IDs and technical log details.
Sharing raw CQL query outputs is incomprehensible to executives who do not understand field names and log formats. A full ATT&CK technique breakdown is valuable for security teams but too technical for boards and CISOs. Sending the full Case Management log with all analyst notes is too granular — executives need a narrative summary, not every investigative detail.