ECCouncil 312-39 - Certified SOC Analyst (CSA v2)

Jennifer is in the Incident Triage phase because she is validating whether the alert is a true incident and quickly assessing scope, severity, and credibility. Triage is the “is this real and how bad is it?” step, typically performed immediately after alert generation or escalation. Pulling EDR logs, SIEM network patterns, and email gateway data is classic triage activity: it helps confirm maliciousness, identify the likely entry vector (phishing attachment vs. drive-by vs. lateral movement), and determine whether containment is needed. Evidence gathering and forensic analysis usually implies a deeper, formalized investigation once an incident is confirmed, including preservation actions, comprehensive artifact collection, and detailed root cause work. Notification is about informing stakeholders after classification and initial scoping. Incident recording and assignment is the ticketing/logging step (creating the case, assigning ownership), which the scenario does not emphasize. Because her stated objective is specifically to determine whether the alert represents a legitimate security incident and she is rapidly checking multiple telemetry sources for confirmation, the best fit is Incident Triage.

Initial containment for suspected data exfiltration by a specific user account should prioritize immediately restricting that account’s ability to access and transfer data. “Access control” is the broad containment category that includes disabling the account, suspending sessions, revoking tokens, removing access to sensitive shares, and applying conditional access blocks. This is the fastest way to stop ongoing data loss while preserving evidence for investigation. “Change passwords regularly” is a general security hygiene practice, not an initial incident containment action, and it may not stop exfiltration quickly if active sessions or tokens remain valid. “Isolate the storage” can be appropriate if a particular repository is being actively exfiltrated, but it can be disruptive to business operations and may not address the actor’s continued access paths across other systems. DCAP is a programmatic capability for monitoring and controlling data access over time; it is valuable, but it is not the immediate first step when the SOC must rapidly stop suspected exfiltration. From a SOC playbook view, the initial action is to reduce attacker/insider access immediately (account restriction), then scope what data was accessed, preserve logs, and coordinate with HR/legal for insider procedures.

In the context of Windows logs, the event severity level that indicates events that are not necessarily significant but may point to a possible future problem is classified as a “Warning.” This level is used to log events that are not immediately harmful, such as an impending disk space shortage or other conditions that could potentially cause problems if not addressed.

Directory Traversal is the technique most directly aligned with “manipulating URL paths to access files and directories outside the web root.” Attackers abuse path sequences (for example, patterns like “../”) or encoded variants to move upward in a directory structure and reach restricted locations such as configuration files, credentials, or system files. In SOC investigations, repeated attempts to request “outside-root” paths in web logs (often with URL encoding, double encoding, or mixed separators) is a classic indicator of traversal probing and exploitation. This differs from SQL injection, which targets database queries and typically shows payloads manipulating SQL syntax (quotes, UNION, tautologies, time delays) rather than filesystem path navigation. XSS focuses on injecting scripts into web pages to run in a victim’s browser, so the log artifacts are more about injected JavaScript/HTML payloads and reflected/stored contexts. Cookie poisoning is a session attack involving tampering with session tokens or cookie values, which shows up as abnormal cookie parameters rather than path traversal requests. Given the explicit evidence of path manipulation to reach unauthorized directories, Directory Traversal is the best match and should drive mitigations such as strict input validation, canonical path checks, least-privilege file permissions, and WAF rules.

Planning and budgeting: This is the initial phase where you determine the scope, objectives, and financial resources available for the lab.

Physical location and structural designconsiderations: Selecting a suitable location and designing the lab to meet operational needs and security requirements.

Work area considerations: Organizing the space efficiently for different tasks such as evidence analysis, storage, and administrative work.

Human resource considerations: Identifying the roles, responsibilities, and qualifications required for lab personnel.

Physical security recommendations: Implementing measures to protect sensitive data and physical assets within the lab.

Forensics lab licensing: Ensuring that the lab and its personnel are compliant with relevant laws, regulations, and industry standards.

HTTP status codes are categorized into fiveclasses, where each class is represented by the first digit of the status code. The 5XX series of status codes indicates server errors, which means that the server is aware that it has encountered an error or is otherwise incapable of performing the request. Common examples of 5XX status codes include 500 (Internal Server Error), 501 (Not Implemented), 502 (Bad Gateway), etc. These indicate that the request was valid, but the server failed to fulfill the request due to some issue on the server side.

In a Risk Matrix, risk levels are determined by the intersection of the likelihood of anoccurrence (probability) and the consequence of that occurrence (impact). When the probability of an event is very high and the impact is major, it typically falls into the ‘Extreme’ category. This is because the combination of a high likelihood and major impact represents a scenario where the risk is unacceptable and requires immediate attention and mitigation measures.

A false negative occurs when malicious activity happens but the detection logic fails to alert. In this case, an attacker successfully authenticates after multiple failed attempts, yet the SIEM rule does not trigger because the threshold (10 failed attempts) was not met. The incident is real, but the system missed it—this is the definition of a false negative. From a SOC engineering perspective, this highlights a common tuning pitfall: rigid thresholds can be evaded by attackers who adjust timing or stop just short of the trigger condition. To reduce false negatives, SOC teams often implement layered detections: alert on “many failed attempts” (lower thresholds), alert on “failed attempts followed by a success,” incorporate user risk context (unusual source IP/geo), and add account lockout or MFA policies to reduce attack success. A false positive would mean an alert triggered for benign activity, which did not occur here. True positives/true negatives require the SIEM to correctly alert or correctly stay silent, respectively. Since the SIEM stayed silent during an actual compromise, the classification is false negative.

A DMZ is the standard architecture component used to place internet-facing services (web, mail relays, reverse proxies) into a separate, controlled network segment that sits between the untrusted internet and the trusted internal network. From a SOC perspective, the DMZ reduces the impact of compromise by limiting lateral movement opportunities. Even if a web server is exploited (SQL injection, remote code execution, credential theft), the attacker is confined to a segment with strict, minimal access rules into internal systems. This is achieved by enforcing tightly scoped inbound and outbound traffic policies at the DMZ boundaries, typically allowing only necessary ports and explicitly approved flows (for example, web tier to app tier on a specific port, with no direct route to employee data networks). A firewall is a control that enforces policy, but the “isolated region/buffer zone” concept is specifically the DMZ. IDS and honeypots are detection/deception controls; they do not provide the segmentation boundary required to isolate public-facing systems from sensitive internal networks.