You Can Pass This Exam For Free
Choose Your Study Path
You have general security operations or SOC experience but limited or no exposure to CrowdStrike Falcon Next-Gen SIEM. You need to learn the platform, CQL, and CrowdStrike-specific investigation workflows.
Exam Overview
Format
60 questions, 90 minutes. All questions are multiple choice covering analytical reasoning and investigation scenarios.
Scoring
Percentage-based scoring 0-100%. Passing: 80%. No penalty for wrong answers — always answer every question.
Domains & Weights
- Querying and Analytics25%
- Detection Logic and Alert Analysis25%
- Incident Investigation40%
- Reporting and Communication10%
Registration
$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Certification valid for 3 years; recertification requires passing the current exam version.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Querying and Analytics
This domain covers constructing CQL queries to search, filter, and analyze security data within Falcon Next-Gen SIEM. You must be able to build queries with filters, logical operators, and time parameters; leverage dashboards and prebuilt scripts for threat hunting; interpret query results to identify suspicious behavior; pivot between related data sets; and use the CrowdStrike Parsing Standard for cross-source queries.
Key Topics
Must-Know Concepts
- CQL query construction: pipe syntax for chaining operations, filter expressions using field=value, logical operators (AND, OR), comparison operators, and time range parameters
- CQL functions for analysis: groupBy() for deduplication, stats(count()) for aggregation, top() for ranking, eval() for calculated fields, regex() for pattern extraction, rename(), and sort()
- Free-text search vs field-based filtering: when to use each approach and how they affect query performance and result accuracy
- Using dashboards and prebuilt scripts to hunt for suspicious behaviors without writing queries from scratch
- Interpreting query results to distinguish normal from suspicious or malicious patterns — the exam presents results and asks for the correct interpretation
- Pivoting between related Falcon Next-Gen SIEM data sets: correlating network data with host data, host data with email data, email data with identity data across repositories
- CrowdStrike Parsing Standard (CPS) for data source agnostic queries: using normalized field names (e.g., source.ip, user.name, event.action) that work across all data sources regardless of original format
- Time parameters in CQL: relative time ranges, absolute time ranges, and how time scoping affects query performance and investigation accuracy
Common Exam Traps
Detection Logic and Alert Analytics
This domain covers understanding how detections are generated and analyzed in Falcon Next-Gen SIEM. You must know the purpose of correlation rules, differentiate between detection types (first-party, third-party passthrough, and correlation), apply the MITRE ATT&CK framework, distinguish false positives from real threats, and interpret alert metadata to prioritize investigations.
Key Topics
Must-Know Concepts
- Purpose and function of correlation rules: how they use CQL to define detection logic, how they generate alerts, and how they can be configured to produce detections or incidents
- Three detection types: first-party detections (native Falcon EDR, Identity, Cloud), third-party passthrough detections (alerts forwarded from external tools), and correlation rule detections (custom or built-in CQL-based rules)
- MITRE ATT&CK framework components used in Falcon: tactics (adversary goals like Initial Access, Execution, Persistence), techniques (specific methods), and how detections are mapped to them
- False positive analysis: evaluating event context, user behavior patterns, known benign activities, and environmental factors to determine whether a detection represents a real threat
- Alert metadata interpretation: severity (potential impact), tactic (ATT&CK classification), confidence (likelihood of true positive), and how to combine these to determine investigative priority
- Out-of-the-box correlation rules: CrowdStrike-provided detection rules mapped to MITRE ATT&CK and specific adversary groups, versus custom rules created by the organization
- Detection triage workflow: how analysts should prioritize and sequence investigation of multiple simultaneous detections based on metadata and organizational risk
Common Exam Traps
Incident Investigation
The heaviest domain at 40% — expect roughly 24 questions on investigation topics. Covers constructing event chains from multiple data sources, identifying lateral movement, persistence, and privilege escalation indicators, pivoting between observables, assessing severity and scope, recommending response actions, utilizing Falcon Fusion SOAR, interpreting IOCs, leveraging contextual data, and understanding data source availability. Master this domain or you will not pass.
Key Topics
Must-Know Concepts
- Constructing event chains by correlating logs from network, host, email, identity, and cloud data sources to establish the complete timeline and sequence of a security incident
- Identifying lateral movement indicators: remote logins to previously uncontacted hosts, RDP/SSH sessions, WMI/PSExec execution, network share access, and pass-the-hash/pass-the-ticket patterns
- Identifying persistence indicators: scheduled task creation, registry run key modifications, service installation, startup folder additions, cron job creation, and web shell deployment
- Identifying privilege escalation indicators: credential dumping (Mimikatz, LSASS access), token manipulation, exploiting local vulnerabilities, creating new admin accounts, and abusing misconfigured permissions
- Pivoting between related observables: following connections from IP addresses to user accounts, user accounts to hostnames, hostnames to processes, processes to file hashes, and file hashes to threat intelligence
- Assessing incident severity and scope based on correlated evidence: number of affected hosts, sensitivity of compromised data, attacker capabilities demonstrated, and organizational impact
- Recommending appropriate response and remediation actions based on investigation findings: host containment, credential reset, malware removal, policy changes, and communication procedures
- Utilizing existing Falcon Fusion SOAR workflows for automated containment (host isolation) and remediation (malware quarantine, user lockout) of confirmed malicious activity
- Identifying and interpreting indicators of compromise: recognizing malicious IP addresses, suspicious domain names, known malware hashes, and anomalous URLs in investigation data
- Leveraging contextual data: using geolocation to identify impossible travel scenarios, IP reputation to assess known-bad infrastructure, and TTP mapping to attribute activity to threat groups
- Understanding data source availability and retention: knowing which log types are available, how long they are retained, and how retention affects investigation scope and timeline reconstruction
Common Exam Traps
Reporting and Communication
This domain covers documenting investigation findings and communicating security events to stakeholders. You must know how to use Case Management for investigation documentation and how to create aggregation-based visual summaries that reveal trends and anomalies. While the smallest domain, it tests practical communication skills essential for SOC analysts.
Key Topics
Must-Know Concepts
- Using Case Management to document and summarize investigation results: attaching relevant detections, adding analyst notes, tracking investigation progress, and recording final findings
- Creating aggregation-based visual summaries using CQL: groupBy, stats, top, and timeChart functions to produce meaningful data representations
- Building and using dashboards to reveal trends (increasing attack frequency, emerging threat patterns) and anomalies (unusual spikes, outlier behaviors)
- Communicating investigation findings to leadership: summarizing technical details in business-relevant language, highlighting impact and risk, and recommending actions
- Selecting appropriate visualization types for different data: bar charts for comparisons, time series for trends, tables for detailed data, and maps for geographic distribution
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.