ECCouncil 312-39 - Certified SOC Analyst (CSA v2)

Moving from a low-maturity SOC to a more capable, repeatable operation requires a stable operational foundation before advanced technology layers. Establishing well-defined and repeatable incident response processes is the correct first priority because it creates consistency in how alerts are triaged, escalated, contained, investigated, and documented. At Level 1, organizations often operate ad hoc: inconsistent handoffs, unclear severity criteria, and weak documentation. Without standardized processes and playbooks, adding AI automation or deception technologies can amplify confusion or trigger disruptive actions based on poorly understood signals. Repeatable IR processes also enable measurement—KPIs like MTTA/MTTR, false positive rates, and containment effectiveness—which is essential to progress to Level 3 maturity. Threat intelligence integration and behavior analytics become far more effective when the SOC has defined workflows to consume intelligence, update detections, and execute response steps predictably. Outsourcing is a resourcing model choice rather than a maturity prerequisite. Therefore, the first step is building structured, documented, consistently executed incident response procedures that create the platform for tuning, automation, and advanced analytics.

In the context of alert triaging within a Security Operations Center (SOC), the priority of alerts is typically determined based on the potential impact and urgency of the threat they represent.

Firewall blocking traffic alerts indicate that the firewall iseffectively doing its job by blocking unwanted traffic. While it’s important to review these alerts to ensure legitimate traffic isn’t being blocked, they generally represent a lower priority because the immediate threat has been mitigated by the firewall.

SQL injection attempt alerts are of high priority because they indicate an active attempt to exploit a security vulnerability in order to manipulate or steal data.

Data deletion attempt alerts also carry high priority as they could signify an attempt to remove or corrupt critical data, which could have significant impact on the availability and integrity of data.

Brute-force attempt alerts are important as they may indicate an ongoing attempt to gain unauthorized access to systems. However, if the attempts are being blocked, these alerts may be of a slightly lower priority compared to an active exploit attempt like SQL injection.

Given these considerations, the alert for the firewall blocking traffic would generally be given the least priority, as it indicates a threat that has already been contained.

To monitor and visualize Tor traffic hitting the network, John would need data sources that can provide detailed information about the source IP addresses of incoming traffic, as well as the capability to resolve these IP addresses to more identifiable information such as hostnames or geographical locations. DHCP logs, or other log sources capable of maintaining detailed IP address records and facilitating IP-to-Name resolution, would be suitable for this purpose. This data would allow John to create a dashboard in the SIEM system that maps the source IP addresses of Tor traffic to their corresponding locations or identities, providing insights into where the Tor traffic is originating. While web server logs (options B, C, and D) can provide IP addresses, they might not offer the same level of detail or resolution capabilities as DHCP logs or similar network-level logs for this specific use case.

Security logs are the primary source for auditing access and changes to protected objects, including files and folders, when file auditing is enabled. In Windows environments, this typically maps to “Object Access” auditing, which can record who accessed a file, what type of access was attempted (read, write, delete), and when it occurred. For a SOC analyst investigating unauthorized modifications, the goal is attribution (which user/account), timing (outside business hours), and action (write/modify/delete). Authentication logs show who logged in and from where, but they don’t reliably indicate which file was modified unless correlated with object access events. Firewall and general network logs can help confirm remote access paths or suspicious connections, but they won’t provide authoritative “who modified which file” evidence. In practice, the SOC would validate that file/folder auditing is enabled on the file server and that relevant events are being collected centrally. Then they correlate file access/modify events with sign-in activity, source device, and any privilege escalation indicators. Because the question specifically asks for determining “who accessed the files and when modifications occurred,” Security logs are the most direct and forensically valuable option.

 In a push-based log collection mechanism, the system or application actively sends (or “pushes”) log records to a designatedstorage location, which can be either on the local disk or over a network to a remote server. This is in contrast to a pull-based mechanism, where the log records are retrieved (or “pulled”) by the management server from the devices.

The push-based mechanism is often used for real-time monitoring and alerting because it allows for immediate transfer of log data as events occur. This method ensures that log records are consistently and reliably sent to a central repository without the need for a third-party service to request or retrieve them.

A syslog relay is specifically used as an intermediary that receives syslog messages from multiple sources and forwards them to an upstream (central) syslog server. In distributed enterprises, relays reduce bandwidth usage across WAN links, provide buffering during intermittent connectivity, and allow local aggregation before forwarding, which improves reliability and manageability. Relays can also apply basic filtering or routing rules so that critical logs are prioritized and noisy logs can be handled appropriately without overwhelming the central collector. A syslog “listener” is typically the process that receives syslog traffic on a given port, but it does not inherently imply forwarding as an architectural role. A syslog “collector” is often used generically to describe a central receiver/ingestion point; however, the question emphasizes an intermediate component that forwards to the main server, which is the role of a relay. A syslog database is for storage/indexing, not message forwarding. From a SOC design standpoint, relays are common in remote sites to maintain log continuity and reduce loss, helping incident investigations by ensuring centralized visibility even when networks are unstable.

A Hybrid Attack is a type of cyber attack that combines elements of a dictionary attack with a brute force attack. It involves taking words from a dictionary (which could be a list of common passwords or related words) and augmenting them with numbers and symbols to generate potential passwords. This method increases the chances of cracking a password by including the common variations that users often add to their passwords to meet complexity requirements.

Capturing and comparing system snapshots before and after suspected compromise is a core method of host integrity monitoring. The goal is to detect unauthorized changes to critical system components such as registry keys, scheduled tasks, services, binaries, configuration files, and security settings. By comparing a known-good baseline snapshot to a suspected-compromised state, analysts can identify what changed, when it changed (with supporting timestamps), and which changes are anomalous relative to expected patching or administrative activity. While this activity can occur within a broader digital forensics investigation, the specific technique described—baseline comparison to detect unauthorized modification—is integrity monitoring. Signature-based detection focuses on matching known indicators (hashes, strings, known patterns) and does not rely on before/after snapshot comparison. Threat intelligence gathering is about collecting and analyzing information on external threats, not directly comparing host states. From a SOC standpoint, integrity monitoring supports rapid scoping and eradication because it highlights persistence and tampering mechanisms that must be removed and can reveal stealth modifications that evade signature scanners. It also supports compliance requirements by demonstrating configuration control and unauthorized-change detection capabilities.

This scenario aligns with requirement analysis because the team is defining what intelligence is needed and how it should be collected and used. The analyst has observed a problem (possible DGA-based malware activity) and recognizes gaps in current detection. The next step in a CTI lifecycle is to translate that concern into actionable intelligence requirements: which telemetry sources are necessary (DNS logs, proxy logs, endpoint telemetry, threat intel on DGA families), what questions must be answered (which hosts, what domains, what patterns, what time windows), and what success criteria look like (detection thresholds, false positive tolerance, enrichment needs). This is the “direction” phase of CTI, where priorities are set and collection needs are specified to ensure intelligence efforts align to threats that matter. “Filtering CTI” would be about reducing noise in collected intelligence or refining feeds after collection. “Intelligence buy-in” is stakeholder alignment and program support, not the analytic definition of requirements. “Automated tool” is not a CTI lifecycle stage. From a SOC perspective, requirement analysis is critical to turn observations into structured detection and hunting objectives that can be measured and improved.