CertPrepNow
CrowdStrikeCCSA-205Updated 2026-06-13

CCSA-205 Study Guide

Everything you need to pass the CrowdStrike Certified SIEM Analyst exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CCSA-205 exam is passable with free resources if you have hands-on Falcon Next-Gen SIEM experience and study consistently for 4-8 weeks:

  • CrowdStrike CCSA Certification Exam Guide PDF (free download from CrowdStrike University)
  • CrowdStrike Developer Center documentation for Next-Gen SIEM and CQL (free)
  • LogScale documentation for CQL syntax, operators, and functions (free at library.humio.com)
  • CrowdStrike Tech Hub articles on detection rules, dashboards, and investigation workflows (free)
  • MITRE ATT&CK framework documentation and matrices (free at attack.mitre.org)
  • 500+ free practice questions on this site

This certification focuses on analytical and investigation skills. While documentation provides the conceptual foundation, the 80% passing score means you need practical experience interpreting detections, writing CQL queries, and investigating incidents in the Falcon platform. CrowdStrike recommends at least 6 months of Falcon experience.

Choose Your Study Path

You have general security operations or SOC experience but limited or no exposure to CrowdStrike Falcon Next-Gen SIEM. You need to learn the platform, CQL, and CrowdStrike-specific investigation workflows.

Week 1Review the CCSA exam guide and all objectives. Learn Falcon Next-Gen SIEM platform navigation, architecture, and core concepts: repositories, data sources, dashboards, and the detection pipeline
Week 2Study CQL fundamentals: pipe syntax, filter expressions, logical operators (AND, OR), comparison operators, free-text search, field selection, and basic time parameters
Week 3Learn intermediate CQL: aggregation functions (groupBy, stats, top, count), field manipulation (eval, rename, replace), regex patterns, and the CrowdStrike Parsing Standard for data source agnostic queries
Week 4Study the MITRE ATT&CK framework: tactics, techniques, and procedures (TTPs). Understand how ATT&CK maps to Falcon detections and correlation rules
Week 5Deep dive into detection types: first-party detections (Falcon EDR/Identity/Cloud), third-party passthrough detections, and correlation rule detections. Learn alert metadata (severity, tactic, confidence)
Week 6Study incident investigation (40% of exam): constructing event chains from multiple data sources, identifying lateral movement, persistence, privilege escalation, pivoting between observables (IPs, users, hashes)
Week 7Continue investigation topics: IOC interpretation, contextual data (geolocation, IP reputation, TTPs), Falcon Fusion SOAR workflows for containment, data source availability and retention, and severity/scope assessment
Week 8Cover reporting and communication: Case Management documentation, aggregation-based visualizations, dashboards for trend analysis, and communicating findings to leadership
Week 9Practice questions across all domains. Take a full mock exam. Focus on Incident Investigation (40%) and Querying and Analytics (25%) which together are 65% of the exam
Week 10Review all incorrect answers, retake weak areas. Take another mock exam aiming for 85%+. Schedule your real exam when consistently scoring above 80%

Exam Overview

Format

60 questions, 90 minutes. All questions are multiple choice covering analytical reasoning and investigation scenarios.

Scoring

Percentage-based scoring 0-100%. Passing: 80%. No penalty for wrong answers — always answer every question.

Domains & Weights

  • Querying and Analytics25%
  • Detection Logic and Alert Analysis25%
  • Incident Investigation40%
  • Reporting and Communication10%

Registration

$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Certification valid for 3 years; recertification requires passing the current exam version.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know how to apply them in investigation scenarios, and be able to interpret results. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 125% of exam

Querying and Analytics

This domain covers constructing CQL queries to search, filter, and analyze security data within Falcon Next-Gen SIEM. You must be able to build queries with filters, logical operators, and time parameters; leverage dashboards and prebuilt scripts for threat hunting; interpret query results to identify suspicious behavior; pivot between related data sets; and use the CrowdStrike Parsing Standard for cross-source queries.

Key Topics

CQLDashboardsCPSPrebuilt ScriptsAggregation FunctionsFilter Operators

Must-Know Concepts

  • CQL query construction: pipe syntax for chaining operations, filter expressions using field=value, logical operators (AND, OR), comparison operators, and time range parameters
  • CQL functions for analysis: groupBy() for deduplication, stats(count()) for aggregation, top() for ranking, eval() for calculated fields, regex() for pattern extraction, rename(), and sort()
  • Free-text search vs field-based filtering: when to use each approach and how they affect query performance and result accuracy
  • Using dashboards and prebuilt scripts to hunt for suspicious behaviors without writing queries from scratch
  • Interpreting query results to distinguish normal from suspicious or malicious patterns — the exam presents results and asks for the correct interpretation
  • Pivoting between related Falcon Next-Gen SIEM data sets: correlating network data with host data, host data with email data, email data with identity data across repositories
  • CrowdStrike Parsing Standard (CPS) for data source agnostic queries: using normalized field names (e.g., source.ip, user.name, event.action) that work across all data sources regardless of original format
  • Time parameters in CQL: relative time ranges, absolute time ranges, and how time scoping affects query performance and investigation accuracy

Common Exam Traps

CPS normalized fields like source.ip work across ALL data sources. Raw vendor-specific fields like src_ip only work for specific sources — the exam tests whether you know when to use CPS fields for cross-source queries
In CQL, OR binds closer than AND — this is different from most query languages and can cause incorrect filtering without parentheses to enforce evaluation order
The top() function already counts and ranks — adding groupBy before top() is redundant. Know which functions handle aggregation internally
Prebuilt scripts are ready-to-use hunting tools, NOT the same as correlation rules. Scripts are analyst-driven; correlation rules are automated detections
Query results showing anomalous patterns do not automatically mean malicious activity — the exam tests whether you can distinguish between unusual-but-benign and genuinely suspicious behaviors
Quick Check: Querying and Analytics

Question 1 of 3

An analyst needs to find all failed login attempts from external IP addresses across both firewall logs and identity provider logs in Falcon Next-Gen SIEM. Which approach ensures the query works across both data sources?

Domain 225% of exam

Detection Logic and Alert Analytics

This domain covers understanding how detections are generated and analyzed in Falcon Next-Gen SIEM. You must know the purpose of correlation rules, differentiate between detection types (first-party, third-party passthrough, and correlation), apply the MITRE ATT&CK framework, distinguish false positives from real threats, and interpret alert metadata to prioritize investigations.

Key Topics

Correlation RulesMITRE ATT&CKDetection TypesAlert MetadataFalse Positive AnalysisInvestigative Priority

Must-Know Concepts

  • Purpose and function of correlation rules: how they use CQL to define detection logic, how they generate alerts, and how they can be configured to produce detections or incidents
  • Three detection types: first-party detections (native Falcon EDR, Identity, Cloud), third-party passthrough detections (alerts forwarded from external tools), and correlation rule detections (custom or built-in CQL-based rules)
  • MITRE ATT&CK framework components used in Falcon: tactics (adversary goals like Initial Access, Execution, Persistence), techniques (specific methods), and how detections are mapped to them
  • False positive analysis: evaluating event context, user behavior patterns, known benign activities, and environmental factors to determine whether a detection represents a real threat
  • Alert metadata interpretation: severity (potential impact), tactic (ATT&CK classification), confidence (likelihood of true positive), and how to combine these to determine investigative priority
  • Out-of-the-box correlation rules: CrowdStrike-provided detection rules mapped to MITRE ATT&CK and specific adversary groups, versus custom rules created by the organization
  • Detection triage workflow: how analysts should prioritize and sequence investigation of multiple simultaneous detections based on metadata and organizational risk

Common Exam Traps

First-party detections have richer context than third-party passthrough detections. Third-party detections may require additional investigation to establish the same level of confidence
Correlation rules and CrowdStrike's native IOA detections are DIFFERENT detection sources. Correlation rules are CQL-based and user-configurable; IOA detections are powered by CrowdStrike's proprietary detection engine
A detection mapped to a high-severity ATT&CK tactic (like Exfiltration) does not automatically mean it is a true positive — confidence score matters equally for triage prioritization
False positive analysis requires CONTEXT, not just the alert itself. The same activity can be malicious in one environment and benign in another (e.g., PowerShell encoded commands from a known admin vs unknown user)
MITRE ATT&CK tactics represent adversary GOALS, not specific tools. The same technique can be executed with different tools — the exam tests understanding of the tactic-technique relationship
Quick Check: Detection Logic and Alert Analytics

Question 1 of 3

A Falcon Next-Gen SIEM analyst sees three detections for the same host: a first-party EDR detection for suspicious PowerShell execution, a third-party firewall passthrough alert for unusual outbound traffic, and a correlation rule detection for data staging behavior. Which detection type provides the MOST context for initial triage?

Domain 340% of exam

Incident Investigation

The heaviest domain at 40% — expect roughly 24 questions on investigation topics. Covers constructing event chains from multiple data sources, identifying lateral movement, persistence, and privilege escalation indicators, pivoting between observables, assessing severity and scope, recommending response actions, utilizing Falcon Fusion SOAR, interpreting IOCs, leveraging contextual data, and understanding data source availability. Master this domain or you will not pass.

Key Topics

Event Chain ConstructionObservable PivotingIOCsLateral MovementPersistencePrivilege EscalationFalcon Fusion SOARContextual DataResponse Recommendations

Must-Know Concepts

  • Constructing event chains by correlating logs from network, host, email, identity, and cloud data sources to establish the complete timeline and sequence of a security incident
  • Identifying lateral movement indicators: remote logins to previously uncontacted hosts, RDP/SSH sessions, WMI/PSExec execution, network share access, and pass-the-hash/pass-the-ticket patterns
  • Identifying persistence indicators: scheduled task creation, registry run key modifications, service installation, startup folder additions, cron job creation, and web shell deployment
  • Identifying privilege escalation indicators: credential dumping (Mimikatz, LSASS access), token manipulation, exploiting local vulnerabilities, creating new admin accounts, and abusing misconfigured permissions
  • Pivoting between related observables: following connections from IP addresses to user accounts, user accounts to hostnames, hostnames to processes, processes to file hashes, and file hashes to threat intelligence
  • Assessing incident severity and scope based on correlated evidence: number of affected hosts, sensitivity of compromised data, attacker capabilities demonstrated, and organizational impact
  • Recommending appropriate response and remediation actions based on investigation findings: host containment, credential reset, malware removal, policy changes, and communication procedures
  • Utilizing existing Falcon Fusion SOAR workflows for automated containment (host isolation) and remediation (malware quarantine, user lockout) of confirmed malicious activity
  • Identifying and interpreting indicators of compromise: recognizing malicious IP addresses, suspicious domain names, known malware hashes, and anomalous URLs in investigation data
  • Leveraging contextual data: using geolocation to identify impossible travel scenarios, IP reputation to assess known-bad infrastructure, and TTP mapping to attribute activity to threat groups
  • Understanding data source availability and retention: knowing which log types are available, how long they are retained, and how retention affects investigation scope and timeline reconstruction

Common Exam Traps

Event chain construction requires MULTIPLE data sources. An investigation using only one data source is incomplete — the exam tests whether you know which additional sources to query for correlation
Lateral movement and privilege escalation are different techniques: lateral movement is about moving BETWEEN systems, privilege escalation is about gaining higher access ON a system. Both are post-compromise but serve different goals
Falcon Fusion SOAR workflows are for EXISTING, predefined automation. Analysts UTILIZE workflows, they do not build them on the fly during investigations — building workflows is an engineer (CCSE) task
Response recommendations must be proportional to findings. The exam tests whether you can match the severity of recommended actions to the severity of confirmed evidence, not worst-case assumptions
Data retention limitations affect investigation capability. If logs are only retained for 30 days but the incident started 45 days ago, you cannot reconstruct the full timeline — the exam tests awareness of this constraint
Impossible travel detection requires BOTH geolocation context AND timestamp analysis. A login from New York followed by a login from Tokyo 30 minutes later is suspicious; 24 hours later may be legitimate travel
Quick Check: Incident Investigation

Question 1 of 4

An analyst investigating a detection finds that a user account logged in from an IP address in New York at 09:00 UTC, then the same account authenticated from a Tokyo IP address at 09:25 UTC. What should the analyst conclude?

Domain 410% of exam

Reporting and Communication

This domain covers documenting investigation findings and communicating security events to stakeholders. You must know how to use Case Management for investigation documentation and how to create aggregation-based visual summaries that reveal trends and anomalies. While the smallest domain, it tests practical communication skills essential for SOC analysts.

Key Topics

Case ManagementDashboardsAggregationsVisualizationsTrend AnalysisAnomaly Detection

Must-Know Concepts

  • Using Case Management to document and summarize investigation results: attaching relevant detections, adding analyst notes, tracking investigation progress, and recording final findings
  • Creating aggregation-based visual summaries using CQL: groupBy, stats, top, and timeChart functions to produce meaningful data representations
  • Building and using dashboards to reveal trends (increasing attack frequency, emerging threat patterns) and anomalies (unusual spikes, outlier behaviors)
  • Communicating investigation findings to leadership: summarizing technical details in business-relevant language, highlighting impact and risk, and recommending actions
  • Selecting appropriate visualization types for different data: bar charts for comparisons, time series for trends, tables for detailed data, and maps for geographic distribution

Common Exam Traps

Case Management is for INVESTIGATION DOCUMENTATION, not for creating detections or configuring alerts. It aggregates findings from investigations, not raw security events
Dashboards and aggregations in this domain are used for COMMUNICATION and TREND ANALYSIS, not for real-time detection. Do not confuse reporting dashboards with monitoring dashboards
Visual summaries should reveal trends and anomalies — the exam tests whether you know which aggregation functions and visualization types best highlight specific patterns in data
Leadership reporting requires translating technical findings into business impact. The exam may test whether you know how to frame investigation results for non-technical audiences
Quick Check: Reporting and Communication

Question 1 of 3

After completing an investigation into a phishing campaign that compromised three user accounts, an analyst needs to document the findings. Which tool should be used?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

First-Party Detections vs Third-Party Passthrough Detections

Use First-Party Detections when…

Alerts generated natively by CrowdStrike Falcon modules including EDR, Identity Protection, and Cloud Security. These have rich Falcon context, automatic CPS normalization, and direct ATT&CK mapping.

Use Third-Party Passthrough Detections when…

Alerts forwarded from external security tools (firewalls, other EDR products, email gateways) into Falcon Next-Gen SIEM via data connectors. May have limited context and require additional parsing.

Exam trap

First-party detections come with full Falcon context and are already normalized. Third-party passthrough detections may lack context and require correlation with other data sources to fully investigate. The exam tests whether you know which detection type provides richer investigation data.

Correlation Rule Detections vs First-Party Detections

Use Correlation Rule Detections when…

Detections generated by custom or built-in CQL-based correlation rules that fire when specific conditions are met across one or more data sources. Analyst-defined logic for organization-specific threats.

Use First-Party Detections when…

Detections generated automatically by CrowdStrike's own detection engine using Indicators of Attack (IOAs) and machine learning models trained on CrowdStrike's threat intelligence.

Exam trap

Correlation rules are created and tuned by SIEM engineers using CQL. First-party detections are powered by CrowdStrike's detection engine. Both appear in the detection queue but have different origins and different levels of CrowdStrike-provided context.

IOCs (Indicators of Compromise) vs IOAs (Indicators of Attack)

Use IOCs (Indicators of Compromise) when…

Static artifacts like IP addresses, file hashes, domain names, and URLs that are known to be associated with malicious activity. Reactive — they identify threats after they have been seen before.

Use IOAs (Indicators of Attack) when…

Behavioral patterns and sequences of actions that indicate an attack is in progress, regardless of the specific tools used. Proactive — they detect novel attacks based on behavior, not signatures.

Exam trap

IOCs are evidence-based and static (known bad artifacts). IOAs are behavior-based and dynamic (suspicious action sequences). Falcon uses IOAs for its first-party detections while IOCs are used for threat correlation and enrichment. The exam tests whether you understand this fundamental difference.

CQL Search Queries vs Correlation Rules

Use CQL Search Queries when…

Ad-hoc or saved queries used for manual investigation, threat hunting, and data exploration. Run on-demand by analysts to answer specific questions about security events.

Use Correlation Rules when…

Persistent detection rules written in CQL that run continuously against incoming data and automatically generate alerts when conditions are met. Used for automated threat detection.

Exam trap

Both use CQL syntax, but search queries are on-demand investigations that produce results. Correlation rules are persistent detections that trigger alerts automatically. A search query explores data; a correlation rule monitors for threats. The exam tests when to use each approach.

Severity vs Confidence

Use Severity when…

Alert metadata indicating the potential impact of a detected threat if it is confirmed as malicious. High severity means significant potential damage to the organization.

Use Confidence when…

Alert metadata indicating how likely the detection represents a true positive rather than a false positive. High confidence means the detection logic strongly matches known malicious patterns.

Exam trap

A detection can have high severity but low confidence (potentially devastating but uncertain) or low severity but high confidence (confirmed but minor impact). The exam tests whether you can use both dimensions together to prioritize investigations — high severity AND high confidence detections should be investigated first.

Falcon Fusion SOAR Workflows vs Manual Investigation

Use Falcon Fusion SOAR Workflows when…

Automated response playbooks that execute predefined actions (contain host, send notification, create ticket) when triggered by detections or on schedule. Built with a no-code visual builder.

Use Manual Investigation when…

Analyst-driven investigation using CQL queries, dashboards, observable pivoting, and manual evidence correlation. Requires human judgment and manual action execution.

Exam trap

SOAR workflows automate repetitive containment and remediation actions but do not replace analyst judgment for complex investigations. The exam tests when to use automated containment (clear-cut threats) vs manual investigation (ambiguous or complex scenarios).

Lateral Movement vs Privilege Escalation

Use Lateral Movement when…

Attacker technique of moving between systems in a network after initial compromise. Indicators include remote logins to new hosts, RDP/SSH sessions, WMI execution, and pass-the-hash attacks.

Use Privilege Escalation when…

Attacker technique of gaining higher-level permissions on a system. Indicators include credential dumping, token manipulation, exploiting local vulnerabilities, and creating new admin accounts.

Exam trap

Lateral movement is about spreading ACROSS systems. Privilege escalation is about gaining higher access ON a system. Both are post-compromise techniques but address different attack objectives. The exam often presents scenarios where you must identify which technique an attacker is using.

Top Mistakes to Avoid

Confusing first-party detections (native CrowdStrike Falcon) with third-party passthrough detections (forwarded from external tools) — first-party have richer context for investigation
Mixing up IOCs (static artifacts like IPs and hashes) with IOAs (behavioral patterns indicating attack activity) — Falcon uses IOAs for detection and IOCs for correlation
Thinking correlation rules and CQL search queries serve the same purpose — rules are persistent automated detections, queries are on-demand investigations
Not understanding the difference between severity (potential impact) and confidence (likelihood of true positive) in alert metadata — both must be considered together for triage
Confusing lateral movement (spreading between systems) with privilege escalation (gaining higher access on one system) — both are post-compromise but serve different attacker goals
Using vendor-specific field names instead of CPS normalized fields when writing cross-source queries — CPS fields enable data source agnostic querying
Forgetting that OR binds closer than AND in CQL — use parentheses to ensure correct logical evaluation order in complex queries
Treating Falcon Fusion SOAR as a replacement for analyst investigation — SOAR automates repetitive response actions but does not replace human judgment for complex investigations
Assuming all detections require the same investigation depth — high severity + high confidence detections should be prioritized over low confidence alerts
Ignoring data retention limitations when constructing investigation timelines — if logs have expired, that portion of the timeline cannot be reconstructed

Exam-Ready Checklist

Can explain all 4 exam domains and their relative weights (25%, 25%, 40%, 10%)
Can construct CQL queries with filters, logical operators, time parameters, and aggregation functions (groupBy, stats, top, eval, regex)
Understand the CrowdStrike Parsing Standard (CPS) and can use normalized field names for data source agnostic queries
Can differentiate between all three detection types: first-party, third-party passthrough, and correlation rule detections
Know the MITRE ATT&CK framework structure (tactics vs techniques) and how Falcon maps detections to ATT&CK
Can interpret alert metadata (severity, tactic, confidence) and use it to prioritize investigation efforts
Can differentiate false positives from legitimate detections by analyzing event context and environmental factors
Proficient at constructing event chains from multiple data sources to tell the complete story of an incident
Can identify lateral movement, persistence, and privilege escalation indicators in log data
Know how to pivot between observables (IPs, users, hosts, hashes) to expand investigation scope
Understand when to use Falcon Fusion SOAR workflows for automated containment vs manual investigation
Can identify and interpret IOCs and leverage contextual data (geolocation, IP reputation, TTPs) for threat assessment
Know how to document investigations using Case Management and create visual summaries with appropriate aggregation functions
Scored 80%+ on at least two full mock exams — the passing threshold is 80%, leaving very little room for error across 60 questions

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions