ECCouncil 312-39 - Certified SOC Analyst (CSA v2)

The Windows event that is logged when a user tries to access a “Registry” key is identified by the event ID 4657. This event ID corresponds to the modification of a registry value. Here’s how the process is tracked and logged:

Detection: The system monitors access to registry keys and values.

Logging: If a user accesses a registry key, and the key’s audit policy is set to log such events, the event is logged.

Event ID 4657: This specific event ID is used to denote that a registry value wasmodified, which includes creation, modification, and deletion of registry values.

Audit Policy: For the event to be logged, “Set Value” auditing must be enabled in the registry key’s System Access Control List (SACL).

CSV is a structured, tabular text format where each record is a row and fields are separated by commas, making it easy to parse, import into spreadsheets, and export into databases. The scenario specifically calls for a text file with rows and columns, readability, and easy export to databases or spreadsheet-based analysis—these are classic CSV strengths. Cloud storage is a storage location/architecture, not a log format. Syslog is a transport and message format family used for sending event messages from systems and network devices; it is often semi-structured but not inherently “rows and columns” in a tabular file structure. A database is a storage system rather than a file format; while logs can be stored in databases, the question asks specifically for a text file format. In SOC practice, CSV is commonly used for exporting specific datasets for reporting, offline analysis, and sharing with stakeholders, especially when interoperability is needed. For high-scale SIEM ingestion, formats like JSON are often preferred, but given the explicit requirement for a tabular text file compatible with spreadsheets, CSV is the correct choice.

 For InternetInformation Service (IIS) version 7.0, the default location for web server logs is in the directory %SystemDrive%\inetpub\logs\LogFiles. Within this directory, you will find subfolders named W3SVCN, where N is a number that corresponds to the site ID of the IIS instance. These folders contain the log files for each website hosted on the server. Harley, as a SOC analyst, can investigate these logs for any anomalies by accessing this path.

Event ID 4740 is a security audit event in Windows that indicates a user account has been locked out. This event is generated every time the system locks out a user account due to repeated logon failures, which are typically caused by incorrect password entries. The event is logged on domain controllers, member servers, and workstations where the lockout occurred. It includes details such as the account name, domain, and the computer from which the lockout originated.

The scenario describes creating a ticket and escalating/assigning it to the appropriate analyst, which is incident recording and assignment. This phase is where the SOC formally documents the reported event, creates an incident record in the tracking system (often SIEM/SOAR or ticketing), sets initial severity/priority, and assigns ownership for investigation. While triage will follow quickly (or may begin in parallel), the explicit action described is logging the incident as a ticket and escalating it to Tier 2. Containment would involve actions to stop spread (isolate endpoint, block C2, disable accounts), which are not described yet. Notification refers to informing broader stakeholders (management, legal, IT) and is not the focus here. From a SOC workflow standpoint, accurate incident recording and assignment is crucial because it ensures accountability, preserves initial report details (time, symptoms, impacted user/device), and triggers SLA-driven response processes. Once assigned, the Tier 2 analyst will conduct triage and verification, then drive containment and eradication if ransomware is confirmed.

These activities fall under Preparation because they are about building readiness before incidents occur. Preparation includes developing and documenting playbooks, establishing tooling and infrastructure (SOC facility, monitoring platforms), training staff, defining roles and escalation paths, and exercising procedures through tabletop simulations. The goal is to ensure that when incidents happen, the SOC and incident response teams can respond quickly, consistently, and effectively. Recovery occurs after an incident to restore systems. Incident recording and assignment is the operational step of logging and routing a specific incident. Incident triage is the rapid assessment of a specific alert to determine severity and next actions. None of those are the focus here; the scenario is clearly about capability building and readiness. From a SOC maturity perspective, strong preparation reduces response time, minimizes confusion during high-stress events, improves coordination across teams, and enhances compliance posture by demonstrating that the organization has defined and tested incident handling procedures.

Log normalization is the key step that converts heterogeneous logs into a consistent, common schema so analysts and detections can reliably query and correlate events. In real SOC workflows, different sources use different field names, timestamp formats, severity labels, and value conventions (for example, “src_ip” vs “SourceIP,” “user” vs “AccountName”). Normalization standardizes these into consistent fields (time, host, user, source/destination, action, outcome), enabling rule logic and dashboards to work across vendors without constant manual translation. Log collection is simply getting logs into a central place; it does not guarantee they are usable or consistent. Log transformation is a broader term that can include parsing or enrichment, but normalization is the specific practice of mapping diverse formats into a common model. Log correlation comes after normalization; correlation links related events (e.g., failed logons + suspicious process + outbound beaconing) and depends on normalized data to work well. Since the problem is explicitly “multiple formats” and manual conversion delays investigation, the best solution is normalization to accelerate triage, reduce query complexity, and improve detection fidelity.

To meet the stated needs—collecting, analyzing, correlating, and alerting—log management and security analytics is the core SIEM capability set. Log management covers ingestion, parsing, normalization, storage, retention, and search. Security analytics covers detection rules, correlations, behavioral analytics, alerting, and dashboards that turn raw events into actionable incidents. These functions are essential for identifying potential HIPAA violations (unauthorized access, anomalous data access, improper privilege use) and producing timely alerts and audit evidence. “Centralized SIEM implementation” is an architectural statement rather than a capability; centralization helps but doesn’t describe the functions needed. “Log collection through agents” is one ingestion method and is important for coverage, but by itself it doesn’t provide analysis and correlation. Threat hunting and intelligence are valuable enhancements, but the requirement described is the baseline SIEM function: manage logs and apply analytics to detect and alert. From a SOC standpoint, this also supports compliance because strong log management with tuned analytics enables both real-time incident response and retrospective investigations with reliable retention and audit trails.

A Cloud Access Security Broker (CASB) is designed to provide visibility and policy enforcement for cloud application usage, especially in SaaS, and can extend controls across cloud services by monitoring access, enforcing data protection policies, and restricting risky sharing behaviors. The scenario emphasizes enforcing access policies, controlling data sharing, preventing sensitive data exposure, and supporting compliance—these are core CASB outcomes. CSPM focuses on configuration security and posture management (misconfigurations, compliance checks, policy drift) across cloud infrastructure, but it does not primarily enforce user-level access and data sharing controls inside cloud apps. CWPP protects workloads (VMs, containers, serverless) with runtime protection, vulnerability management, and threat detection at the compute layer, which is different from governing access and data sharing across SaaS/PaaS/IaaS usage. Cloud-native anomaly detection is a capability rather than the governance and policy enforcement layer described. From a SOC perspective in regulated environments, CASB helps reduce data leakage risk via controls like DLP policies, session controls, shadow IT discovery, and conditional access enforcement—matching the requirements in the question.

Grok filters are widely used to parse unstructured or semi-structured logs into structured fields by applying pattern-based extraction. In SOC environments, many logs arrive as free-form text (application logs, custom service logs, legacy device logs). Grok allows analysts/engineers to define reusable patterns (for timestamps, IPs, usernames, HTTP methods, error codes) and map extracted values into normalized fields. This enables reliable querying, correlation, dashboards, and alert rules in a SIEM because the same concept (source IP, user, action) is consistently represented. Delimited parsing is effective when logs are already consistently separated by commas/tabs/pipes, but the question emphasizes “raw, unstructured logs,” where delimiters may not be stable. Key-value extraction is excellent when logs are already formatted as key=value pairs, but unstructured logs often lack consistent keys. Semantic parsing is more advanced (often involving deeper content understanding) and may not be the practical first choice for rapid operational parsing at scale. For a fast-growing SOC needing immediate improvements in structure and queryability, Grok-style pattern parsing is a proven, practical technique to convert messy log lines into actionable structured data.