312-39 ECCouncil Certified SOC Analyst (CSA v2) Free Practice Exam Questions (2026 Updated)

Reliable delivery across unreliable networks is primarily a transport-layer concern. The syslog transport layer covers how messages are transmitted between devices, relays, and collectors, including protocol choice and delivery assurance. Many syslog deployments default to UDP for simplicity, but UDP is lossy and does not guarantee delivery—problematic for remote sites and compliance-driven logging. Hardening transport typically involves using TCP (reliable delivery), TLS for encryption and integrity, buffering/queueing at relays, retransmission handling, and monitoring of connection health and backlog. The content layer is about message format and fields; management and filtering is about routing and reduction of noise; application layer relates to the syslog-generating and receiving software. Those are important, but they do not address the fundamental need for dependable delivery under network instability. From a SOC perspective, transport reliability directly impacts forensic completeness, alert accuracy, and compliance evidence. Therefore, optimizing and hardening the syslog transport layer is the correct priority.

Event ID 4616 is the key Windows Security log event for “system time was changed,” and it is the primary artifact to confirm and investigate time-tampering. It typically includes details such as the previous time, the new time, and the account or process context responsible, which helps the SOC determine whether the change was authorized (maintenance) or suspicious (off-hours, unusual account, unexpected host). Event ID 4618 is useful as a companion signal because it indicates monitored security-relevant conditions and can help reveal related suspicious behavior around auditing or security event patterns that may coincide with timestamp manipulation. In practice, SOC analysts correlate the time-change event with surrounding authentication events, privilege use, and process creation telemetry to identify the actor and intent. The other options do not directly target the time-change activity: 4608/4609 relate to system startup/shutdown; 4625 is failed logon and 4634 is logoff; 4624 is successful logon (useful context, but not the event that records the time modification itself). Therefore, the best pairing for investigating time tampering in the options provided is 4616 and 4618.

An in-house/internal SOC model best fits when data sovereignty, strict control of sensitive data, and operational independence are the top priorities—and when the organization has the budget and staffing capacity to operate 24/7. For a government agency handling health records, limiting third-party access reduces legal, compliance, and privacy risk. An internal SOC can ensure that telemetry, incident artifacts, and investigative outputs remain within national borders and under direct governance, supporting sovereignty mandates and chain-of-custody requirements. Outsourced or multi-MSSP models increase external data exposure and often require sharing logs, incident details, or access into systems—conflicting with the requirement for complete control. A hybrid model can be effective when internal capability is limited and external expertise is needed, but the prompt explicitly states the agency can hire many professionals and wants full control. From a SOC operations perspective, an in-house SOC also allows customization of playbooks, escalation paths, and compliance reporting aligned to government standards, and it reduces dependency on vendor timelines during high-severity incidents. Therefore, the most suitable model is in-house/internal SOC.

Isolating the finance department’s VLAN is a classic containment action. Containment focuses on limiting spread, stopping additional damage, and preventing further compromise while the team stabilizes the environment. In ransomware incidents, rapid segmentation and isolation can prevent lateral movement, reduce the number of encrypted systems, and preserve critical services. The scenario shows escalation to leadership, activation of the IRT, and immediate network isolation—all consistent with containment. Eradication would come next and involves removing ransomware artifacts, closing exploited vulnerabilities, eliminating persistence mechanisms, and ensuring the threat cannot return. Evidence gathering and forensic analysis may occur in parallel after containment, especially to preserve volatile evidence, but the central action described is isolation to stop spread. Notification involves informing stakeholders (legal, leadership, regulators) and is not the primary activity described. From a SOC playbook standpoint, containment is often the first priority once ransomware is confirmed because time is critical: every minute of uncontrolled spread increases operational and financial impact. Therefore, the current phase is containment.

In a RiskMatrix, risk levels are determined by the intersection of the likelihood of an event occurring and the impact that event would have if it did occur. When the probability of an attack is very low, it means that the event is unlikely to happen. However, if the impact of that attack is major, it suggests that the event would have significant consequences if it did occur.

The combination of a very low probability with a major impact typically results in a low risk level. This is because the overall risk is mitigated by the low chance of the event happening, despite the potential for a significant impact. Therefore, even though the impact is major, the risk level is kept low due to the very low likelihood of occurrence.

Account lockout is an identity control that directly strengthens authentication by limiting repeated password guessing attempts. It sits within authentication and authorization measures because it governs how accounts can authenticate and how access is granted or denied based on login outcomes. In SOC terms, brute-force attacks target the authentication surface; lockout policies reduce attacker attempts and can prevent successful compromise by forcing a pause or administrative intervention after repeated failures. While the policy may be implemented on hosts or via directory services, its purpose is to control identity access behavior, not network segmentation or physical protections. Host security measures typically refer to endpoint hardening, patching, EDR controls, and local configuration baselines. Network security measures include firewall rules, segmentation, and traffic filtering. Physical security includes facility and device access controls. Because the action is specifically about controlling login attempts and access to accounts, it is best categorized as authentication and authorization. In practice, SOC teams complement lockout policies with MFA, conditional access, password spraying detection, and monitoring for “failures followed by success” patterns to reduce both brute-force success and user disruption.

In the context of a Security Operations Center (SOC), EPS typically refers to “Events Per Second,” which is a measure of the number of security events processed in one second. The correct formula for calculating EPS in a SOC environment is the number of correlated events divided by the time in seconds. Correlated events are those that have been analyzed and aggregated by the SOC’s security information and event management (SIEM) system, indicating a potential security incident. This metric helps in understanding the operational load and performance of the SOC.

These activities fall under Preparation because they are about building readiness before incidents occur. Preparation includes developing and documenting playbooks, establishing tooling and infrastructure (SOC facility, monitoring platforms), training staff, defining roles and escalation paths, and exercising procedures through tabletop simulations. The goal is to ensure that when incidents happen, the SOC and incident response teams can respond quickly, consistently, and effectively. Recovery occurs after an incident to restore systems. Incident recording and assignment is the operational step of logging and routing a specific incident. Incident triage is the rapid assessment of a specific alert to determine severity and next actions. None of those are the focus here; the scenario is clearly about capability building and readiness. From a SOC maturity perspective, strong preparation reduces response time, minimizes confusion during high-stress events, improves coordination across teams, and enhances compliance posture by demonstrating that the organization has defined and tested incident handling procedures.

The focus on cookie attributes (HttpOnly, Secure, SameSite) strongly aligns with session security and session integrity. These attributes are designed to protect session cookies from being stolen or misused: HttpOnly limits JavaScript access to cookies, Secure restricts cookies to HTTPS, and SameSite reduces cross-site request risks. When investigators assess these settings, they are often evaluating whether session tokens could be manipulated, injected, fixed, or abused—behaviors consistent with session poisoning and related session attacks. While XSS can be used to steal cookies, the investigation described is not centered on injected script payloads in application responses; it is centered on cookie security posture and abnormal request patterns tied to sessions. SQL injection is primarily about manipulating database queries and would be investigated through query-related payloads and database error patterns rather than cookie attribute review. MITM attacks can intercept session cookies if transport security is weak, but the question emphasizes cookie attribute weaknesses and anomalous session request patterns—more directly associated with session poisoning/session hijacking analysis. In SOC response, confirming session attack vectors typically leads to rotating session secrets, invalidating active sessions, tightening cookie flags, enforcing TLS, and adding anomaly detection for session token reuse and impossible travel.

A trend analysis report is designed to show how incident frequency, types, severity, and impact change over time, which is exactly what leadership needs for investment decisions. The scenario is about demonstrating an increase in malware incidents over six months and linking them to phishing as an entry vector. A trend report can quantify growth rates, highlight recurring patterns, identify peak periods, compare pre- and post-control effectiveness, and estimate business risk (downtime, remediation hours, affected users). This supports a clear business case for budget: if phishing-driven malware is increasing, investments in email filtering and user training directly address the root cause and should reduce future incident volume. A monitoring summary report may provide a snapshot but often lacks time-series depth. A real-time monitoring report focuses on current status and active alerts, not long-term justification. An incident report is typically focused on a single event and is useful for lessons learned but not for demonstrating systemic trends. From a SOC management perspective, trend analysis aligns technical evidence with strategic decisions, making it the most effective report type to support funding for preventive controls and awareness programs.

The analyst has already identified a clear anomaly (spike in failures), attributes (single external IP), and potential attack type (credential stuffing/brute force). At this point, the correct next step is to investigate and analyze: validate the activity, confirm scope, and determine whether any attempts succeeded or led to additional malicious actions. In practical SOC threat hunting, this means pivoting from the initial observation to structured analysis: check for successful logons from the same source, identify targeted accounts and servers, correlate with geo/location anomalies, review authentication methods, and look for follow-on behaviors like privilege escalation, token issuance, or suspicious process execution on targeted hosts. “Establish a baseline” is a step used earlier when normal patterns are unknown; here the activity is already recognized as abnormal. “Continuous improvement” is a post-activity maturity step (tuning detections, updating playbooks). “Rapid response” can be part of containment if compromise is confirmed or imminent, but the question asks specifically for the next step in threat hunting to assess further. Therefore, investigation and analysis is the best fit, enabling informed containment actions such as IP blocks, account lockouts, MFA enforcement, and credential resets based on evidence.

After identifying the required event sources in a Security Operations Center (SOC) process, the next stage is to define rules for the use case. This involves specifying the criteria or conditions that will trigger alerts or actions based on the data received from the identified event sources. It is a critical step in ensuring that the SOC can effectively monitor and respond to security events.

The scenario describes creating a ticket and escalating/assigning it to the appropriate analyst, which is incident recording and assignment. This phase is where the SOC formally documents the reported event, creates an incident record in the tracking system (often SIEM/SOAR or ticketing), sets initial severity/priority, and assigns ownership for investigation. While triage will follow quickly (or may begin in parallel), the explicit action described is logging the incident as a ticket and escalating it to Tier 2. Containment would involve actions to stop spread (isolate endpoint, block C2, disable accounts), which are not described yet. Notification refers to informing broader stakeholders (management, legal, IT) and is not the focus here. From a SOC workflow standpoint, accurate incident recording and assignment is crucial because it ensures accountability, preserves initial report details (time, symptoms, impacted user/device), and triggers SLA-driven response processes. Once assigned, the Tier 2 analyst will conduct triage and verification, then drive containment and eradication if ransomware is confirmed.

In the context of Windows logs, the event severity level that indicates events that are not necessarily significant but may point to a possible future problem is classified as a “Warning.” This level is used to log events that are not immediately harmful, such as an impending disk space shortage or other conditions that could potentially cause problems if not addressed.

Cleanup is the phase where adversaries attempt to cover their tracks and reduce the chance of detection or attribution. The described behaviors—altering logs, wiping forensic artifacts, modifying timestamps, and tampering with monitoring tools—are classic defense evasion and anti-forensic actions. In SOC investigations, these actions indicate the attacker is prioritizing stealth and persistence after completing objectives, making reconstruction more difficult. Search and exfiltration focuses on locating valuable data and transferring it out; while that happened earlier, the key activities described are about removing evidence and obscuring the timeline. Initial intrusion refers to the first entry (phishing, exploit, stolen credentials). Expansion refers to broadening access (lateral movement, privilege escalation) across the environment. The scenario explicitly emphasizes manipulating logs and monitoring to hide activity and prevent alerts, which aligns most closely with cleanup. For defenders, this phase drives urgency: isolate affected systems, preserve volatile data quickly, validate logging pipelines, and use independent telemetry sources (network flows, cloud control-plane logs, immutable logging) to rebuild the attack chain despite tampering.

Once an L2 SOCAnalyst like Charline confirms an incident, the SOC workflow dictates that the incident must be formally documented. This involves raising a ticket in the incident management system. The ticket should include all relevant details from the investigation, such as the nature of the incident, the affected systems, and the initial priority assigned. After raising the ticket, the L2 Analyst should forward it to the Incident Response Team (IRT). The IRT will then take over the incident to conduct a deeper analysis, perform containment measures, eradicate the threat, and recover systems to normal operation.

MFA is the most effective long-term control among the options because it directly reduces the attacker’s ability to succeed even when passwords are guessed, reused, or stolen. Brute-force and credential stuffing attacks exploit the single-factor nature of passwords; MFA adds an additional verification factor (authenticator app prompt, FIDO2 key, certificate-based auth), making account takeover significantly harder. From a containment standpoint, blocking IPs and enabling lockout can reduce immediate attack volume, but attackers commonly rotate IPs, use botnets, or target many accounts in parallel, which can also cause operational impact via account lockouts (denial of service against users). Cross-verifying false positives is important for accuracy, but it does not strengthen security. Notifying users can help awareness but is not a technical control. In SOC operations, the best practice is layered containment: immediate throttling/blocks and lockout tuning for the active attack, followed by durable hardening controls. MFA is the durable hardening step that meaningfully reduces future brute-force success rates and complements conditional access policies (geo/time/device risk) and stronger password protections.

Eradication is about removing the threat and eliminating the conditions that allowed it to persist or recur. “Fixing devices” best aligns with addressing root causes because it implies remediating exploited weaknesses: patching vulnerable software, correcting misconfigurations, removing persistence mechanisms, hardening endpoints/servers, and restoring secure baselines. In healthcare environments, malware frequently exploits unpatched systems, exposed services, weak segmentation, permissive scripting policies, or inadequate least privilege. Quarantining with antivirus is helpful for immediate removal but may not eliminate the exploited vulnerability or persistence path; attackers can reinfect if the underlying gap remains. Updating signatures improves detection for known malware but does not address a misconfiguration or missing patch and will not reliably stop novel variants. Blacklisting file execution can reduce risk but is typically a partial, reactive control and can be bypassed by renaming, living-off-the-land tools, or script-based payloads. From a SOC analyst perspective, the most durable eradication action is to “fix the device” by restoring trusted configuration and closing the exploit vector, combined with validation scans and monitoring to confirm the environment is clean and hardened.

The Systems Security Engineering Capability Maturity Model (SSE-CMM) is the framework that describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. The SSE-CMM provides a standard metric for security engineering practices, covering the entire lifecycle of development, operation, maintenance, and decommissioning activities. It also includes management, organizational, and engineering activities, as well as interactions with other disciplines and organizations1.