You Can Pass This Exam For Free
Choose Your Study Path
You have general SIEM or security operations experience but limited or no exposure to CrowdStrike Falcon Next-Gen SIEM. You need to learn the platform from scratch.
Exam Overview
Format
60 questions, 90 minutes. Multiple choice questions covering practical SIEM engineering scenarios.
Scoring
Percentage-based scoring 0-100%. Passing: 80%. No penalty for wrong answers — always answer every question.
Domains & Weights
- User Management7%
- Data Ingestion27%
- Parsing30%
- Content Creation26%
- Automation and Integration10%
Registration
$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Certification valid for 3 years; recertification requires passing the current exam version.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
User Management
This domain covers configuring user roles, permissions, and establishing custom role structures for platform access control within Falcon Next-Gen SIEM. While the smallest domain by weight, it tests foundational knowledge that underpins all other SIEM operations.
Key Topics
Must-Know Concepts
- How to configure user roles and permissions within Falcon Next-Gen SIEM for appropriate access control
- Role-based access control (RBAC) implementation for secure platform management and data access separation
- Custom role creation to establish granular access structures tailored to organizational needs and security requirements
- The relationship between user permissions and data visibility, including repository-level access controls
- Administrative vs analyst vs read-only role distinctions and when to apply each level of access
Common Exam Traps
Data Ingestion
The second-heaviest domain covering how data enters Falcon Next-Gen SIEM. You must understand first-party vs third-party data sources, built-in data connectors, Falcon Log Collector deployment and management, connector architecture, sizing specifications, and troubleshooting ingestion issues. This domain is highly practical and scenario-based.
Key Topics
Must-Know Concepts
- How to categorize first-party data (native Falcon telemetry) vs third-party data (external security tools, cloud services, network devices) and their ingestion differences
- Selecting the appropriate integration method: API-based data connectors for cloud/SaaS sources vs Falcon Log Collector for on-premises syslog/file sources
- Setting up and maintaining built-in data connectors including authentication, scheduling, and data flow configuration
- Standard components of third-party connector architecture: source, transport protocol, authentication, parsing pipeline, and destination repository
- Falcon Log Collector sizing specifications: CPU, memory, disk, and network requirements based on events per second (EPS) throughput
- Installing and configuring the Falcon Log Collector: supported operating systems (Windows, Mac, Linux), syslog sources (UDP/TCP on port 1514), and HEC sink configuration
- Fleet management operations: centralized collector management, health monitoring, configuration updates, and scaling strategies
- Diagnosing and resolving common ingestion complications: missing events, parsing errors, connectivity issues, authentication failures, and throughput bottlenecks
Common Exam Traps
Parsing
The heaviest domain at 30% — expect roughly 18 questions on parsing topics. Covers the CrowdStrike Parsing Standard (CPS), data normalization, log format recognition, parser validation, custom parser development, AI-assisted parser generation, advanced parsing syntax, and parser troubleshooting. This domain requires both conceptual knowledge and practical parser-building skills.
Key Topics
Must-Know Concepts
- CrowdStrike Parsing Standard (CPS) framework: based on ECS 8.x, with documented deviations and extensions. CPS-compliant parsers standardize data for detection, dashboards, and analytics
- Data normalization using CPS: mapping raw vendor fields to standard ECS field names, ensuring consistent query capability across all data sources
- Vendor-prefixed fields: fields not in ECS are prefixed with 'Vendor.' to maintain clean namespace separation between standard and vendor-specific data
- Recognizing various log format structures: JSON, CSV, syslog (RFC 3164/5424), CEF, LEEF, key-value pairs, XML, and unstructured text formats
- Developing parser validation test cases: creating sample log entries, testing field extraction, verifying CPS compliance, and validating edge cases
- Cloning and adjusting existing parser configurations: duplicating parsers as starting points and modifying field mappings for similar but different sources
- Building custom parser logic from scratch: regex extraction, field assignment, conditional parsing, and multi-format handling
- AI-assisted parser generation: using the AI Parser feature to automatically generate parser configurations from sample logs and refining the output
- Advanced syntax features: nested field extraction, conditional logic, multi-line log handling, and complex regex patterns for parser development
- Identifying and correcting parsing operation failures: debugging field extraction errors, handling format changes, and resolving CPS compliance issues
Common Exam Traps
Content Creation
This domain covers creating operational content within Falcon Next-Gen SIEM: managing lookup data, using pre-built dashboards, writing and optimizing CQL queries, building custom dashboards, creating and tuning correlation rules, and understanding detection source types. This domain is heavily CQL-focused and requires strong query-writing skills.
Key Topics
Must-Know Concepts
- Managing lookup data files: creating, uploading, and referencing lookup data for event enrichment and threat correlation in CQL queries
- Using pre-built dashboards for system activity observation: understanding default dashboards, their data sources, and how to interpret visualizations
- CQL query construction: pipe syntax, filter expressions, comparison operators, logical operators (AND, OR — note OR binds closer than AND), field selection, and aggregation
- CQL functions: groupBy() for deduplication, stats(count()) for aggregation, top() for ranking, eval() for calculated fields, regex() for pattern extraction, rename(), replace(), sort(), formatTime()
- CQL query optimization: reducing query scope with time ranges and filters, using efficient aggregation, minimizing regex on large datasets, and leveraging indexed fields
- Building custom dashboard visualizations: widget types, data source binding, interactive drill-down, and real-time vs historical data views
- Creating correlation rules: defining detection logic in CQL, setting severity levels, assigning MITRE ATT&CK techniques, and configuring alert actions
- Tuning correlation rule behavior: adjusting thresholds, adding exclusions, refining time windows, and reducing false positives without losing true positives
- Categorizing vendor-native vs external detection sources: understanding which detections come from CrowdStrike modules vs third-party forwarded alerts
Common Exam Traps
Automation and Integration
This domain covers automating security operations using Falcon Fusion SOAR workflows, generating API authentication credentials, and implementing API integrations using the FalconPy SDK. While the smallest domain by weight, it tests practical automation skills that bridge SIEM data with response actions.
Key Topics
Must-Know Concepts
- Falcon Fusion SOAR workflow capabilities: no-code visual builder, scheduled/on-demand/event-triggered workflows, first-party and third-party actions, and natural language workflow generation
- SOAR workflow action types: device queries, email notifications, Jira ticket creation, log writing, host containment, and custom HTTP actions
- API authentication credential generation: creating OAuth 2.0 Client ID and Client Secret pairs, scoping permissions, and managing credential lifecycle
- FalconPy SDK implementation: Service Classes (per-API-collection) vs Uber Class (single interface), automatic token management, and basic API interaction patterns
- HTTP Actions in SOAR: three authentication methods (API keys, OAuth 2.0, CrowdStrike-specific), integration with external tools and services
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.