General Exam Tips
- 1.The passing score is 80% — you can only miss about 12 of 60 questions. Treat every question as critical.
- 2.Read ALL answer options before selecting. Many wrong answers are almost-right: they use the correct tool but for the wrong scenario.
- 3.Parsing (30%) + Data Ingestion (27%) = 57% of the exam. If you master these two domains you are more than halfway to passing.
- 4.Scenario questions describe a specific symptom or constraint. Identify the symptom first, then eliminate answers that don't address it directly.
- 5.When a question involves choosing between a data connector vs Falcon Log Collector, the key discriminator is: cloud/API source = connector, on-premises/syslog source = Log Collector.
- 6.When a question involves field naming in CPS, ask: does ECS have this field? If yes, use the ECS name. If no, prefix with 'Vendor.'
- 7.Flag and skip questions you're unsure of. Come back with fresh eyes — there is no penalty for wrong answers so always answer every question.
- 8.Time management: 90 minutes for 60 questions = 90 seconds per question. Questions with CQL code are slower to read — budget extra time.
- 9.If two answers both seem correct, look for the one that is more specific to the scenario constraint described in the question.
- 10.The exam tests engineer-level judgment, not just recall. Ask yourself: what would a SIEM engineer actually do first in this scenario?
User Management
Must-Know Facts
- RBAC in Falcon Next-Gen SIEM uses platform-level roles (what features a user can access) AND repository-level access controls (what data a user can see) — both must be configured.
- Custom roles must be explicitly created and assigned; there is no automatic role inheritance from organizational hierarchy or default roles.
- The NG SIEM Analyst role grants case-reading and XDR-writing permissions but does NOT allow template modifications — this distinction appears in exam scenarios.
- Principle of least privilege applies: SOC Tier 1 analysts should be able to query and view dashboards but not edit correlation rules or SOAR workflows.
- User permissions affect data visibility, feature access, and what SOAR workflows a user can trigger — not just login capability.
- Dormant/inactive accounts with repeated failed login attempts must be disabled promptly — this is a tested security hygiene scenario.
Common Traps
Confusing Pairs
Scenario Tips
A SOC Tier 1 analyst needs to view dashboards and run CQL queries but must not modify correlation rules or SOAR workflows.
Create a custom role with query and dashboard read permissions, explicitly excluding rule-edit and workflow-edit permissions. Assign to the analyst.
Assigning the default NG SIEM Analyst role may grant too many or too few permissions for the exact scenario — the exam expects you to recognize that custom roles provide precise granularity.
Different SIEM teams should only access log repositories relevant to their business unit.
Configure repository-level access controls per team — this is separate from platform roles.
CQL query restrictions are not an access control mechanism. Platform roles alone cannot restrict data scope — repository-level controls are required.
Last-Minute Facts
Data Ingestion
Must-Know Facts
- First-party data (native Falcon telemetry from CrowdStrike products) is automatically ingested and parsed — no connector or parser configuration required.
- Third-party data requires either an API-based data connector (for cloud/SaaS sources) or a Falcon Log Collector (for on-premises syslog/file sources).
- Falcon Log Collector runs on Windows, Mac, and Linux. It listens for syslog using a configurable port (standard syslog default is 514; deployments commonly use 1514 to avoid requiring root/elevated privileges on Linux) and forwards data to the SIEM via HEC sinks.
- HEC (HTTP Event Collector) is the transport endpoint that receives data from the Falcon Log Collector — it is NOT a data source itself.
- Data ingest is measured as Average GB/day pre-parsing (before parsing is applied), not post-parsing or monthly totals.
- Each Next-Gen SIEM connector has a maximum ingest capacity of 10,000 events per second (EPS).
- Default HEC syslog UDP maxEventSize is 2048 bytes (configurable up to 1MB+). Know this number for sizing questions.
- Fleet management = centralized management of deployed Falcon Log Collectors (NOT Falcon sensor agents on endpoints).
- Third-party connector architecture standard components: source device, transport protocol (syslog/HEC), authentication, parsing pipeline, destination repository.
- All Falcon Insight XDR customers receive a 10GB/day free tier for third-party data ingestion. Exceeding this stops ingestion unless extended subscription is active.
- On-premises syslog sources require the HTTP Event Connector or Falcon Log Collector — NOT cloud-specific connectors.
Common Traps
Confusing Pairs
Scenario Tips
Ingesting firewall logs from on-premises Palo Alto devices that send syslog.
Deploy a Falcon Log Collector configured to receive syslog (commonly on port 1514 to avoid root-privilege requirements, though the standard syslog port is 514 and the port is configurable), forward via HEC sink to SIEM.
There is no API-based data connector for an on-premises syslog source. Falcon sensors cannot be installed on firewalls. Federated search queries existing data — it does not collect new data.
Connector shows 'Healthy' but no events appear in the target repository.
First troubleshooting step: verify the parser is correctly assigned to the data source and check for parsing errors. Events may be arriving but failing to parse.
Restarting the Log Collector (wrong — this is a connector issue, not a collector issue), recreating API credentials (wrong — healthy status means auth is working), increasing sizing (wrong — that would affect throughput, not silent event loss).
A custom application running on-premises needs to send logs directly to the SIEM via HTTP.
Configure the application to use the HTTP Event Connector (HEC endpoint), not a data connector or Falcon Log Collector.
Data connectors are for pulling data from external APIs, not receiving HTTP pushes from custom applications.
Last-Minute Facts
Parsing
Must-Know Facts
- CrowdStrike Parsing Standard (CPS) is based on Elastic Common Schema (ECS) 8.x but has documented deviations and extensions — it is NOT identical to ECS.
- Fields that exist in ECS must use the ECS field name. Fields that do NOT exist in ECS must be prefixed with 'Vendor.' (e.g., 'Vendor.fw_action').
- CPS requires ALL fields from the raw log to be preserved as LogScale fields — no fields should be dropped, even non-ECS ones.
- Vendor. prefix rule: keep field names and values unchanged except replace spaces with underscores in field names.
- Mandatory CPS fields that every parser must populate: event.module, event.dataset, event.kind. Additional key fields: event.action, source.ip, user.name.
- Parser validation test cases with sample log data are REQUIRED for CPS compliance — a parser without test cases is not CPS-compliant.
- Log format recognition is testable: JSON, CSV, syslog RFC 3164 and RFC 5424, CEF (Common Event Format), LEEF (Log Event Extended Format), key-value pairs, XML, unstructured text.
- AI-assisted parser generation: useful starting point for structured JSON logs, but always requires manual validation, refinement, and additional test cases before production deployment.
- Parser types: build from scratch (full control), clone and modify (good for similar sources), AI-assisted (fastest for structured logs).
- Common parser failures: type mismatches (array vs string), invalid enum values for event.outcome, missing mandatory fields, incorrect regex that fails on edge cases.
- Parser validation errors are visible in the Validation Errors pane — always check this after creating or modifying a parser.
Common Traps
Confusing Pairs
Scenario Tips
A raw log contains a field 'fw_action' that does not exist in ECS. What should the parser do with it?
Prefix it as 'Vendor.fw_action' and keep the value unchanged (replacing any spaces with underscores in the name).
Dropping the field violates CPS. Forcing a semantic mismatch by mapping to the 'nearest' ECS field creates correlation problems. Creating a new top-level ECS field is not permitted by individual parsers.
An engineer receives structured JSON logs from an unfamiliar source and needs a parser quickly.
Use AI-assisted parser generation with sample logs, then validate and refine the output before deploying.
Writing from scratch is unnecessary for structured JSON. Cloning a syslog parser would require extensive rewriting. Submitting a request to CrowdStrike delays operations unnecessarily.
A parser is producing zero normalized events even though raw logs are arriving at the SIEM.
Check the Validation Errors pane for the parser. Common causes: type mismatches, missing mandatory fields, invalid enum values, regex failing to match the actual log format. Verify parser test cases pass with the current log samples.
The issue is not in data ingestion (logs are arriving). Recreating credentials or restarting the collector won't fix a parsing logic failure.
Which parser approach is most efficient when the new source format is nearly identical to an already-parsed source?
Clone the existing parser and modify the differing field mappings.
AI-assisted is faster for novel structures; cloning is faster when similarity is high. Building from scratch is never 'most efficient' when a baseline exists.
Last-Minute Facts
Content Creation
Must-Know Facts
- CQL pipe syntax: operations chain left-to-right using '|'. The order matters — filter early, aggregate late for best performance.
- In CQL, OR binds closer than AND — opposite of most programming languages. Use parentheses to ensure correct logic: (A AND B) OR C will behave differently than A AND (B OR C).
- Field assignment in CQL uses ':=' not '='. The '=' operator is for comparison/filtering. eval(newField := value) creates a new field; field = value filters events.
- top(field, limit=N) performs built-in counting and ranking in a single operation — do NOT add groupBy() before top() since top() already handles counting internally.
- groupBy(field) deduplicates and counts. stats(count()) aggregates. top(field, limit=N) ranks. All are aggregation functions but serve different use cases.
- Correlation rules are persistent detections that run continuously on incoming data and generate alerts. CQL search queries are ad-hoc, on-demand investigations. Both use CQL syntax.
- Tuning a correlation rule means modifying its filter logic (adding exclusions, adjusting thresholds, refining time windows) — not disabling it or reducing severity.
- Lookup files enrich events with additional context. Referenced in CQL queries and correlation rules using lookup-style joins.
- Pre-built dashboards require the underlying data source to be ingested and parsed. A dashboard showing no data is NOT a dashboard error — it indicates the data connector or parser is not configured.
- Vendor-native detections (from CrowdStrike modules: EDR, identity, cloud) come with full Falcon context and are already CPS-mapped. External detections (from third-party tools) may require additional parsing.
- Correlation rules can be assigned MITRE ATT&CK technique tags and severity levels for triage and reporting context.
- CQL key functions to know: groupBy(), stats(count()), top(), eval(), regex(), rename(), replace(), sort(), formatTime(), concat(), ioc:lookup().
Common Traps
Confusing Pairs
Scenario Tips
Find the top 10 source IP addresses with the most failed login events in the last 24 hours.
Filter first, then use top(): #event_simpleName=UserLogonFailed | top(src_ip, limit=10)
Adding groupBy(src_ip) before top() is redundant since top() handles counting. sort() does not limit results to 10. stat(count()) by itself doesn't rank.
A correlation rule fires alerts on a known internal scanning server, generating false positives.
Add an exclusion filter for the scanning server's IP address to the rule's CQL logic.
Disabling the rule removes all detection coverage. Reducing severity to low still fires the same volume of alerts. Deleting historical alerts does not prevent future ones.
Create a calculated field 'connection' that combines source IP and destination port as 'IP:port'.
| eval(connection := concat(src_ip, ":", dst_port))
connection = src_ip + ":" + dst_port uses '=' which is a filter, not a field creator. rename() changes a field's name, not its value. replace() substitutes substrings within a value.
A pre-built dashboard for firewall traffic shows no data after a new deployment.
The data connector for the firewall source is likely not configured or not ingesting data. Configure the connector and verify events are arriving before investigating the dashboard itself.
The dashboard is not broken — pre-built dashboards are correct by design. Rebuilding the dashboard or changing widget types will not fix an ingestion problem.
Last-Minute Facts
Automation and Integration
Must-Know Facts
- Falcon Fusion SOAR is a no-code visual workflow builder — it does NOT require programming. API integrations via FalconPy are a separate, code-based capability.
- Falcon Fusion SOAR workflow trigger types: event-triggered (fires on correlation rule detection), scheduled (runs on a time schedule), and on-demand (manually launched).
- Built-in SOAR action types: contain host, send email notification, create Jira ticket, write to log, query device list, execute custom HTTP actions.
- HTTP Actions in SOAR support three authentication methods: API keys, OAuth 2.0, and CrowdStrike-specific authentication.
- Falcon Fusion SOAR is available at no additional cost for first-party automation. Advanced third-party orchestration requires Next-Gen SIEM licensing.
- FalconPy SDK authentication: OAuth 2.0 using Client ID and Client Secret — not username/password, not API-key-only.
- FalconPy automatically manages OAuth token refresh. You provide Client ID and Client Secret once; token management is handled by the SDK.
- FalconPy Service Classes: one class per API collection (e.g., Detections, Hosts, Incidents) — most specific interface for a known API.
- FalconPy Uber Class: single class interface to all API operations — convenient but less type-specific.
- SOAR workflows are configured separately from correlation rules. A rule generates detections; a workflow reacts to those detections. They are linked by trigger configuration, not embedded in each other.
- API credentials (Client ID and Client Secret) are generated in the Falcon console under API Clients section. Scope permissions to least privilege.
Common Traps
Confusing Pairs
Scenario Tips
Automatically contain a host and create a Jira ticket when a critical correlation rule fires.
Create a Falcon Fusion SOAR workflow triggered by the correlation rule detection with two actions: contain host and create Jira ticket.
Writing a FalconPy polling script introduces delay and complexity. Correlation rules cannot directly execute containment. CQL queries cannot call external APIs.
Write a Python script to query the Falcon API specifically for recent detections.
Use the FalconPy Service Class for the Detections API collection — it provides the most focused interface for this specific use case.
The Uber Class works but is less specific. Manual REST calls require managing OAuth tokens yourself. SOAR is no-code, not a Python SDK.
A SOAR workflow needs to integrate with an internal ticketing system via HTTP. What authentication methods are available?
HTTP Actions in SOAR support three methods: API keys, OAuth 2.0, and CrowdStrike-specific authentication.
Basic username/password is not a listed method for SOAR HTTP Actions. SAML is not used here.