EC-Council Intermediate

312-75

CSA - Certified SOC Analyst

The Certified SOC Analyst (CSA) is a specialized certification designed to train cybersecurity professionals to perform effective security operations center (SOC) functions. This certification validates the skills required to detect, analyze, and respond to security incidents in real-time using SIEM platforms and threat intelligence. CSA focuses on practical SOC operations and prepares professionals to work as Tier 1 and Tier 2 SOC analysts.

The exam covers five domains: Security Operations and Management (SOC structure, processes, security operations), Understanding Cyber Threats and IoCs (threat landscape, attack vectors, indicators of compromise, threat actor TTPs), SIEM Deployment and Monitoring (SIEM architecture, log collection, correlation rules, alert creation), Enhanced Incident Detection with Threat Intelligence (threat intelligence platforms, MITRE ATT&CK, threat hunting), and Incident Response and Management (incident triage, escalation, containment, reporting).

This certification is ideal for SOC analysts, security analysts, security engineers, threat hunters, SIEM administrators, and cybersecurity professionals working in security operations centers. CSA provides hands-on experience with industry-leading SIEM solutions and prepares candidates to monitor networks, analyze security events, detect threats, and respond to incidents using established playbooks and runbooks.

Updated May 2023 Cybersecurity

100

Questions

Practice Tests

70%

Pass Score

Views

Total Attempts

Avg. Score

Pass Rate

Discussions

Practice Tests Flash Cards Exam Topics Cheat Sheet

€5.00

CSA Practice Exam 1

Comprehensive 50-question practice exam covering SOC operations and management, cyber threats and indicators of compromise, SIEM deployment and monitoring, threat intelligence for incident detection, and incident response procedures.

50 Q 90 minutes 70%

Test Drive

€5.00

CSA Practice Exam 2

Comprehensive 50-question practice exam covering SOC metrics and KPIs, kill chain analysis, IoC identification, SIEM alert tuning, use case development, STIX/TAXII standards, threat hunting, incident containment, evidence preservation, and SOAR integration.

50 Q 90 minutes 70%

Test Drive

€5.00

CSA Practice Exam 3

Advanced 50-question practice exam covering SOC automation and orchestration, advanced SIEM use cases, UEBA analytics, threat hunting methodologies, malware traffic analysis, cloud SOC operations, and compliance monitoring integration.

50 Q 90 minutes 70%

Test Drive

€5.00

CSA Practice Exam 4

Advanced 50-question practice exam covering advanced correlation rules, machine learning in SOC operations, network traffic analysis, endpoint telemetry, threat intelligence operationalization, purple teaming, advanced incident handling, SOC metrics, cloud-native monitoring, and deception technology.

50 Q 90 minutes 70%

Test Drive

€5.00

CSA Practice Exam 5

Advanced 50-question practice exam covering threat actor profiling, supply chain attack detection, encrypted traffic analysis, DNS security monitoring, email security operations, vulnerability prioritization, OT/ICS SOC operations, insider threat monitoring, regulatory compliance, and SOC shift management.

50 Q 90 minutes 70%

Test Drive

€5.00

CSA Practice Exam 6

Final comprehensive 50-question practice exam covering SOC analyst scenarios, multi-stage attack detection, advanced SIEM troubleshooting, threat intelligence platform management, complex incident scenarios, SOC maturity assessment, emerging threats, SOC career progression, full domain review, and real-world case studies.

50 Q 90 minutes 70%

Test Drive

Unlock All Content for 312-75

6 Practice Test(s) + Flash Cards — 3 months access

€39.99 €26.99 Save 30%

or included with Monthly subscription / Content Bundle

312-75 Cheat Sheet

Quick reference guide - 6 sections

Free Access

CSA 312-75 Exam Details

Detail	Value
Exam Code	312-75 CSA
Full Name	Certified SOC Analyst
Vendor	EC-Council
Duration	180 minutes (3 hours)
Number of Questions	100 multiple choice
Passing Score	70%
Exam Fee	$249 USD (ECC Exam Centre) / $349 USD (Pearson VUE)
Certification Level	Associate / Entry-level SOC

Domain Weight Breakdown

Domain	Weight
1. Security Operations and Management	20%
2. Understanding Cyber Threats, IoCs, and Attack Methodology	20%
3. Incidents, Events, and Logging	20%
4. Incident Detection with SIEM	25%
5. Enhanced Incident Detection with Threat Intelligence	15%

About the CSA Certification

The EC-Council Certified SOC Analyst (CSA) is designed for Tier I and Tier II SOC analysts. It validates the ability to monitor, detect, triage, and respond to security incidents using SIEM solutions and other SOC tools. The certification covers end-to-end SOC operations including log management, SIEM deployment, incident detection, and basic threat intelligence integration. CSA bridges the gap between entry-level IT security knowledge and the hands-on skills required to operate in a modern Security Operations Center.

Prerequisites include a minimum of one year of experience in the IT security or network administration domain, or completion of EC-Council's official CSA training. The CSA is commonly pursued alongside or after CompTIA Security+ and before the CEH (Certified Ethical Hacker) or ECIH (EC-Council Certified Incident Handler) certifications.

SOC Tier Structure

Tier	Role	Responsibilities
Tier 1 (L1)	Alert Analyst / Triage Specialist	24/7 monitoring, initial alert triage, ticket creation, false positive filtering, escalation to L2
Tier 2 (L2)	Incident Responder / Deep Analyst	Deep-dive investigation, correlation analysis, containment actions, malware triage, IoC enrichment
Tier 3 (L3)	Threat Hunter / Subject Matter Expert	Proactive threat hunting, advanced forensics, SIEM rule tuning, playbook development, threat intelligence
SOC Manager	Operations Lead	Team management, KPI reporting, budget, tool selection, stakeholder communication, process improvement

SOC Models

Model	Description	Pros / Cons
In-house SOC	Fully internal team and infrastructure	Full control, high cost, staffing challenges
Virtual SOC	No dedicated facility; part-time or reactive analysts	Low cost, limited visibility, no 24/7
Co-managed / Hybrid SOC	Internal team + MSSP partnership	Balanced cost and control, shared responsibility
Outsourced SOC (MSSP)	Managed Security Service Provider handles all operations	24/7 coverage, less control, data privacy concerns
Command SOC	Central SOC coordinating multiple regional SOCs	Enterprise-scale, unified threat picture

Core SOC Tools

Tool Category	Purpose	Examples
SIEM	Log aggregation, correlation, alerting, dashboards	Splunk, IBM QRadar, ArcSight, Elastic SIEM, LogRhythm
SOAR	Security orchestration, automation, and response playbooks	Splunk SOAR (Phantom), Palo Alto XSOAR, IBM Resilient
TIP	Threat Intelligence Platform for IoC management and enrichment	MISP, Anomali ThreatStream, Recorded Future
IDS/IPS	Network intrusion detection and prevention	Snort, Suricata, Cisco Firepower
EDR	Endpoint detection, investigation, and response	CrowdStrike Falcon, Carbon Black, SentinelOne
Ticketing	Incident tracking and workflow management	ServiceNow, Jira, TheHive

SOC KPIs & Metrics

Metric	Definition	Target
MTTD	Mean Time To Detect - Average time from compromise to detection	Minimize (hours, not days)
MTTR	Mean Time To Respond - Average time from detection to containment	Minimize (minutes to hours)
MTTI	Mean Time To Investigate - Time spent on deep analysis per incident	Optimize (reduce with automation)
False Positive Rate	Percentage of alerts that are benign after triage	Reduce through rule tuning
Alert Volume	Total alerts generated per day/week	Track trends, reduce noise
Dwell Time	Total time an attacker remains undetected in the environment	Minimize (industry avg ~21 days)

Exam Tip: MTTD and MTTR are the two most critical SOC metrics tested on the CSA exam. Remember: MTTD = time to discover, MTTR = time to resolve. Low values indicate a mature SOC.

SOC Workflow: Alert Lifecycle

1. Alert Generation: SIEM correlation rule fires based on log data matching a detection pattern
2. Triage (L1): Analyst reviews alert context, checks for false positive, assigns severity (Critical/High/Medium/Low/Informational)
3. Investigation (L2): Deep analysis of related logs, network traffic, endpoint telemetry; IoC enrichment via threat intel
4. Escalation (L3): Advanced threat hunting, forensic artifact collection, root cause analysis if needed
5. Response: Containment (isolate host, block IP), eradication (remove malware), recovery (restore services)
6. Closure & Reporting: Document findings, update playbooks, create lessons learned, close ticket

Critical Windows Event IDs

Event ID	Log	Description	SOC Relevance
4624	Security	Successful logon	Track user access, detect lateral movement
4625	Security	Failed logon	Brute force detection (multiple failures)
4634	Security	Logoff	Session duration analysis
4648	Security	Logon with explicit credentials	Credential abuse, runas usage
4672	Security	Special privileges assigned to new logon	Admin logon, privilege escalation tracking
4688	Security	New process created	Suspicious process execution (PowerShell, cmd)
4720	Security	User account created	Rogue account creation
4732	Security	Member added to security-enabled local group	Privilege escalation (added to Administrators)
1102	Security	Audit log cleared	Anti-forensics / evidence destruction
7045	System	New service installed	Persistence mechanism, malware installation
4697	Security	Service installed on the system	Alternate service install logging

Exam Tip: Know logon type codes for Event ID 4624: Type 2 = Interactive, Type 3 = Network (SMB/shares), Type 7 = Unlock, Type 10 = RemoteInteractive (RDP). Type 3 and Type 10 are key indicators for lateral movement.

Linux Log Locations

Log File	Purpose	Key Content
/var/log/auth.log	Authentication events (Debian/Ubuntu)	SSH logins, sudo commands, PAM events
/var/log/secure	Authentication events (RHEL/CentOS)	Same as auth.log for Red Hat family
/var/log/syslog	General system messages	Kernel, services, cron, application logs
/var/log/messages	General system messages (RHEL/CentOS)	Equivalent of syslog for Red Hat family
/var/log/kern.log	Kernel messages	Hardware errors, driver issues, iptables logs
/var/log/apache2/access.log	Apache HTTP access log	Web requests, status codes, user agents
/var/log/faillog	Failed login attempts	Brute force detection
/var/log/wtmp	Login/logout history (binary)	Read with `last` command
/var/log/btmp	Bad login attempts (binary)	Read with `lastb` command

Syslog Protocol

Severity	Code	Keyword	Description
0	Emergency	emerg	System is unusable
1	Alert	alert	Immediate action required
2	Critical	crit	Critical conditions
3	Error	err	Error conditions
4	Warning	warning	Warning conditions
5	Notice	notice	Normal but significant
6	Informational	info	Informational messages
7	Debug	debug	Debug-level messages

Syslog uses UDP port 514 (traditional) or TCP port 514 (reliable). Syslog-over-TLS uses TCP port 6514 for encrypted transport. Syslog format: <PRI> TIMESTAMP HOSTNAME APP-NAME MSG where PRI = (Facility x 8) + Severity.

SIEM Architecture & Deployment

Log Sources: Firewalls, IDS/IPS, endpoints, servers, Active Directory, DNS, DHCP, proxy, email gateways, cloud services
Collection Methods: Agent-based (installed on endpoints), agentless (syslog, WMI, API polling), log forwarders (Splunk UF, Beats)
Normalization: Parsing raw logs into structured fields (source IP, destination IP, port, action, user, timestamp)
Correlation Engine: Applies rules to normalized events to detect multi-stage attacks and patterns across sources
Alerting: Generates notifications when correlation rules trigger (email, ticket, dashboard, SOAR webhook)
Dashboards & Reporting: Real-time visualization, compliance reports (PCI DSS, HIPAA, SOX), executive summaries
Retention: Hot storage (fast search, 30-90 days), warm storage (slower, 6-12 months), cold/archive (compliance, 1-7 years)

Common SIEM Correlation Rules

Use Case	Logic	Log Sources
Brute Force Detection	>5 failed logins (4625) from same source within 5 minutes	Windows Security, SSH auth.log
Account Compromise	Failed logins followed by successful login (4625 then 4624) from same source	Windows Security
Lateral Movement	Type 3/10 logon (4624) to multiple hosts from single source within timeframe	Windows Security
Privilege Escalation	User added to admin group (4732) by non-admin account	Windows Security, AD logs
Data Exfiltration	Unusual outbound data volume (>threshold) to external IP	Firewall, NetFlow, Proxy
Log Tampering	Audit log cleared (1102) or log service stopped	Windows Security, Syslog
C2 Beaconing	Regular-interval outbound connections to same external IP/domain	Firewall, Proxy, DNS

Splunk SPL Quick Reference

Query	Purpose
`index=windows EventCode=4625`	All failed Windows logons
`index=windows EventCode=4625 \| stats count by src_ip \| where count>5`	Brute force: sources with >5 failures
`index=firewall action=blocked \| top 10 src_ip`	Top 10 blocked source IPs
`index=proxy url=evil.com \| table _time src_ip url`	Proxy hits to known malicious domain
`index=* sourcetype=syslog "Failed password" \| stats count by host`	SSH brute force across Linux hosts
`index=windows EventCode=4688 New_Process_Name="powershell"`	PowerShell process execution tracking
`index=dns query_type=A \| rare query`	Unusual DNS queries (potential DGA domains)

Exam Tip: Understand SPL pipe syntax: search terms | stats/table/where/sort/top/rare. Know the difference between stats count by field (aggregation) and table field1 field2 (display specific columns).

ELK Stack Components

Component	Role	Details
Elasticsearch	Search & analytics engine	Stores indexed log data, full-text search, RESTful API, distributed architecture
Logstash	Log ingestion & parsing	Input plugins (syslog, beats, file), filter plugins (grok, mutate, geoip), output to Elasticsearch
Kibana	Visualization & dashboards	Discover (search), Visualize (charts), Dashboards, SIEM app for security analytics
Beats	Lightweight data shippers	Filebeat (logs), Winlogbeat (Windows events), Packetbeat (network), Metricbeat (metrics)

Alert Triage Process

Step	Action	Details
1. Validate	Confirm the alert is not a false positive	Check source/destination context, asset criticality, user identity, time of activity
2. Classify	Categorize the incident type	Malware, phishing, unauthorized access, DoS, data leak, policy violation
3. Prioritize	Assign severity and priority	Based on asset value, data sensitivity, scope of impact, threat actor capability
4. Correlate	Cross-reference with other events	Check SIEM for related alerts, same source/target, same timeframe
5. Enrich	Add context from external sources	Threat intel lookup (VirusTotal, AbuseIPDB), WHOIS, GeoIP, user directory
6. Decide	Escalate, contain, or close	True positive: escalate to L2/IR. False positive: tune rule, close ticket

Wireshark Display Filters

Filter	Purpose
`ip.addr == 10.0.0.5`	All traffic to/from specific IP
`ip.src == 192.168.1.0/24`	Traffic from a specific subnet
`tcp.port == 443`	HTTPS traffic
`tcp.flags.syn == 1 && tcp.flags.ack == 0`	SYN scan / port scan detection
`dns.qry.name contains "evil"`	DNS queries containing keyword
`http.request.method == "POST"`	HTTP POST requests (data exfil, webshells)
`http.request.uri contains "/admin"`	Requests targeting admin paths
`tcp.analysis.retransmission`	Retransmitted packets (network issues)
`frame contains "password"`	Cleartext credential detection
`!(arp \|\| dns \|\| icmp)`	Filter out noise protocols
`tls.handshake.type == 1`	TLS Client Hello (SNI analysis)

Exam Tip: Wireshark display filters use == for equals, != for not-equals, contains for substring match, && for AND, || for OR. Capture filters (BPF syntax) use different format: host 10.0.0.5, port 80, tcp.

Snort Rule Syntax

Format: action protocol src_ip src_port -> dst_ip dst_port (options;)

Example Rule	Description
`alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000001; rev:1;)`	Detect 5+ SSH connections from same source in 60 seconds
`alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious User-Agent"; content:"User-Agent: Mozilla/4.0"; http_header; sid:1000002; rev:1;)`	Detect outdated/suspicious HTTP user-agent strings
`alert tcp any any -> $HOME_NET 445 (msg:"EternalBlue Exploit Attempt"; content:"\|FF\|SMB"; content:"\|57 00 69 00 6E 00\|"; sid:1000003; rev:1;)`	Detect SMB exploit payload signatures

Key rule options: msg (alert message), content (pattern match), flow (direction), threshold (rate limit), sid (unique rule ID), rev (revision). Actions: alert, log, pass, drop (IPS mode), reject.

MITRE ATT&CK Framework Mapping

Tactic	ID	Common Techniques	Detection
Initial Access	TA0001	Phishing (T1566), Exploit Public-Facing App (T1190)	Email gateway logs, WAF, IDS
Execution	TA0002	PowerShell (T1059.001), Windows Management (T1047)	Event ID 4688, ScriptBlock logging
Persistence	TA0003	Registry Run Keys (T1547), Scheduled Task (T1053)	Sysmon, Event ID 7045
Privilege Escalation	TA0004	Exploitation for Priv Esc (T1068), Valid Accounts (T1078)	Event ID 4672, 4732
Defense Evasion	TA0005	Obfuscation (T1027), Indicator Removal (T1070)	Event ID 1102, AMSI logs
Credential Access	TA0006	Brute Force (T1110), OS Credential Dumping (T1003)	Event ID 4625, LSASS access
Lateral Movement	TA0008	Remote Services (T1021), Pass-the-Hash (T1550)	Event ID 4624 Type 3/10
Exfiltration	TA0010	Exfil Over C2 Channel (T1041), Exfil Over Web (T1567)	DLP, NetFlow, Proxy
Command & Control	TA0011	Web Protocols (T1071), DNS Tunneling (T1071.004)	DNS analytics, proxy, beacon detection

Exam Tip: The CSA exam frequently tests MITRE ATT&CK mapping. Know the 14 tactics (columns) and be able to match observed behavior to the correct tactic and technique. The ATT&CK Navigator is used to visualize adversary coverage.

Malware Indicators & Phishing Analysis

Indicator Type	What to Look For	Tools
File-based	Suspicious hashes (MD5/SHA256), packed executables, double extensions (.pdf.exe), macro-enabled Office docs	VirusTotal, Hybrid Analysis, Any.Run
Network-based	C2 callbacks, beaconing patterns, DNS to DGA domains, unusual ports, encrypted traffic to unknown IPs	Wireshark, Zeek, NetworkMiner
Host-based	New scheduled tasks, registry modifications, unusual processes, disabled AV, unauthorized services	Sysmon, Autoruns, Process Explorer
Email / Phishing	Spoofed sender (SPF/DKIM/DMARC fail), urgency language, suspicious links, mismatched URLs, malicious attachments	Email headers analysis, PhishTool, URLScan.io

Email Header Analysis: Check Return-Path, Received headers (trace route), X-Originating-IP, SPF result (pass/fail), DKIM signature, DMARC policy
URL Analysis: Hover before clicking, check for typosquatting (g00gle.com), URL shorteners, IP-based URLs, unusual TLDs
Attachment Analysis: Never open directly; use sandbox (Any.Run, Joe Sandbox), check file hash on VirusTotal, look for embedded macros/scripts

Threat Hunting Concepts

Hypothesis-driven: Start with a hypothesis based on threat intel (e.g., "APT29 may be using PowerShell for lateral movement") and search for evidence
IoC-driven: Search for known indicators (hashes, IPs, domains) from threat intel feeds across logs and endpoints
Analytics-driven: Use statistical baselines and anomaly detection to find deviations (unusual login times, rare processes, data volume spikes)
Pyramid of Pain: Hash values (trivial to change) → IP addresses → Domain names → Network/Host artifacts → Tools → TTPs (hardest to change, most valuable)

NIST Incident Response Lifecycle (SP 800-61)

Phase	Activities	Key Outputs
1. Preparation	Policies, IR plan, team training, tool readiness, communication plan, playbooks	IR plan, contact list, jump bag, forensic toolkit
2. Detection & Analysis	Alert monitoring, log analysis, indicator correlation, scope determination, severity classification	Incident declaration, initial assessment, evidence preservation
3. Containment, Eradication & Recovery	Short-term containment (isolate), long-term containment (patch), remove threat, restore systems	Contained environment, clean systems, recovered services
4. Post-Incident Activity	Lessons learned meeting, IR report, process improvements, indicator sharing, rule updates	Post-mortem report, updated playbooks, new detection rules

SANS Incident Response Steps (PICERL)

Step	Phase	Description
P	Preparation	Establish IR capability, policies, team, tools
I	Identification	Detect and determine whether an event is an incident
C	Containment	Limit damage and prevent further spread
E	Eradication	Remove threat components from the environment
R	Recovery	Restore systems to normal operation, verify integrity
L	Lessons Learned	Document findings, improve processes, update defenses

Exam Tip: NIST uses 4 phases (combines containment/eradication/recovery). SANS uses 6 steps (PICERL). Both start with Preparation and end with Lessons Learned. Know both models and their differences.

Containment Strategies

Strategy	Action	When to Use
Network Isolation	Disconnect host from network (disable port, VLAN change, EDR isolation)	Active malware spread, C2 communication
Account Disable	Disable compromised user accounts, reset passwords, revoke tokens	Credential theft, unauthorized access
Firewall Block	Block malicious IPs/domains at perimeter firewall or proxy	Known C2 infrastructure, exfiltration destination
DNS Sinkhole	Redirect malicious domain queries to internal controlled IP	Botnet C2, DGA domain disruption
Sandboxing	Move suspicious system to isolated VLAN for monitoring	Need to observe attacker behavior before full containment

Evidence Collection & Chain of Custody

Order of Volatility: CPU registers/cache → RAM → Network state → Running processes → Disk (filesystem) → Remote logging → Backup media (collect most volatile first)
Memory Acquisition: Use tools like Volatility, FTK Imager, WinPmem to capture RAM before shutdown (running processes, network connections, encryption keys)
Disk Imaging: Create bit-for-bit forensic copy using dd, FTK Imager, or EnCase. Always hash (MD5+SHA256) original and copy to verify integrity
Chain of Custody: Document who collected evidence, when, where, how, and all subsequent transfers. Every access must be logged with date, time, and person
Write Blocker: Use hardware or software write blockers when connecting evidence drives to prevent accidental modification

Threat Intelligence Types

Type	Audience	Content	Timeframe
Strategic	Executives, board	High-level threat landscape, risk trends, business impact, geopolitical context	Long-term (months/years)
Tactical	SOC analysts, defenders	TTPs, attack patterns, adversary playbooks, MITRE ATT&CK mappings	Medium-term (weeks/months)
Operational	IR team, SOC managers	Specific campaigns, threat actor intent, timing of attacks	Short-term (days/weeks)
Technical	SOC L1/L2, SIEM engineers	IoCs: malicious IPs, domains, file hashes, URLs, email addresses	Immediate (hours/days)

Threat Intelligence Feeds & IoC Management

Source / Platform	Type	Description
MISP	Open-source TIP	Malware Information Sharing Platform; structured IoC sharing, STIX/TAXII support
AlienVault OTX	Open threat exchange	Community-driven pulse-based IoC sharing
VirusTotal	Multi-scanner	File/URL/domain reputation checks against 70+ AV engines
AbuseIPDB	IP reputation	Community-reported malicious IP database
Shodan / Censys	Internet scanning	Exposed services, vulnerabilities, attack surface discovery
STIX / TAXII	Standards	STIX = structured threat data format (JSON). TAXII = transport protocol for sharing STIX data

Exam Tip: STIX (Structured Threat Information eXpression) defines the "what" (threat data format). TAXII (Trusted Automated eXchange of Intelligence Information) defines the "how" (transport mechanism). Together they enable automated threat intel sharing between organizations.

Incident Reporting

Executive Summary: High-level overview for management (what happened, impact, current status)
Timeline: Chronological sequence of events from initial compromise to detection to resolution
Technical Details: IoCs, affected systems, attack vector, tools used by adversary, evidence collected
Impact Assessment: Data compromised, systems affected, business disruption, regulatory implications
Remediation Actions: What was done to contain, eradicate, and recover; what remains to be done
Recommendations: Long-term improvements to prevent recurrence (patching, config changes, new detection rules, training)
Lessons Learned: What worked well, what needs improvement in IR process, updated runbooks

SIEM Solutions Comparison

Feature	Splunk	IBM QRadar	Elastic SIEM	ArcSight
Query Language	SPL	AQL (Ariel Query Language)	KQL / Lucene	Proprietary rules
Deployment	On-prem, Cloud, Hybrid	On-prem, SaaS	On-prem, Cloud (Elastic Cloud)	On-prem
Licensing	Data volume (GB/day)	Events per second (EPS)	Open source core + paid features	EPS-based
Strength	Flexible search, massive ecosystem	Built-in offense management, network flow analysis	Cost-effective, scalable, open	Real-time correlation
Log Collection	Universal Forwarder, HEC	Log Source Extensions, WinCollect	Beats (Filebeat, Winlogbeat)	SmartConnectors

IDS vs IPS

Feature	IDS (Intrusion Detection)	IPS (Intrusion Prevention)
Mode	Passive (monitors copy of traffic)	Inline (sits in traffic path)
Action	Detect and alert only	Detect, alert, and block
Network Impact	No latency impact	Adds slight latency
Risk	Cannot stop attacks	False positives can block legitimate traffic
Deployment	SPAN port / TAP	Inline between network segments

Detection Methods: Signature-based (matches known patterns, fast, no zero-day detection), Anomaly-based (baselines normal behavior, detects unknowns, higher false positives), Protocol analysis (checks protocol compliance, detects malformed packets).

SIEM vs SOAR vs XDR

Capability	SIEM	SOAR	XDR
Primary Function	Log aggregation, correlation, alerting	Orchestration, automation, response playbooks	Unified detection across endpoint, network, cloud
Data Sources	Logs from any source	SIEM alerts, threat intel, case management	Endpoint, network, email, cloud (vendor telemetry)
Automation	Limited (rule-based alerting)	High (playbooks automate investigation & response)	Medium (AI-driven correlation and response)
Human Involvement	High (analysts review alerts)	Reduced (automates repetitive tasks)	Reduced (pre-correlated detections)
Examples	Splunk, QRadar, Elastic	Splunk SOAR, XSOAR, Swimlane	CrowdStrike Falcon, Microsoft Sentinel + Defender, Palo Alto Cortex XDR

Network Analysis Tools

Tool	Type	Use Case
Wireshark	Packet analyzer (GUI)	Deep packet inspection, protocol analysis, pcap investigation
tcpdump	Packet capture (CLI)	Lightweight capture on servers/sensors, BPF filter support
Zeek (Bro)	Network security monitor	Connection logs, HTTP/DNS/SSL logs, file extraction, scripting engine
NetworkMiner	Network forensic analyzer	OS fingerprinting, file/image extraction from pcap, host reconstruction
Nmap	Network scanner	Port scanning, service detection, OS fingerprinting, vulnerability scripts
NetFlow / sFlow	Flow data	Traffic volume analysis, baseline deviations, top talkers, exfil detection

Firewall Log Key Fields

Field	Description	SOC Use
src_ip / dst_ip	Source and destination IP addresses	Identify communication endpoints, geo-location
src_port / dst_port	Source and destination ports	Identify services (80=HTTP, 443=HTTPS, 22=SSH, 53=DNS)
action	Allow / Deny / Drop / Reset	Blocked vs permitted traffic analysis
bytes_sent / bytes_received	Data volume per session	Data exfiltration detection (unusual outbound volume)
rule_name / policy	Which firewall rule matched	Policy validation, rule hit analysis
application	Application-layer identification (NGFW)	Shadow IT detection, unauthorized app usage

Common Ports & Protocols for SOC Analysts

Port	Protocol	Service	Security Notes
20/21	TCP	FTP	Cleartext credentials; use SFTP/FTPS instead
22	TCP	SSH	Encrypted remote access; brute force target
23	TCP	Telnet	Cleartext; should never be used
25	TCP	SMTP	Email relay; spam/phishing vector
53	UDP/TCP	DNS	DNS tunneling, DGA, cache poisoning
80	TCP	HTTP	Unencrypted web; C2 channel risk
88	TCP/UDP	Kerberos	Kerberoasting, Golden/Silver ticket attacks
443	TCP	HTTPS	Encrypted web; C2 often hides in HTTPS
445	TCP	SMB	Lateral movement (PsExec, EternalBlue)
514	UDP	Syslog	Log forwarding to SIEM
3389	TCP	RDP	Remote desktop; brute force, BlueKeep CVE
8080/8443	TCP	Alt HTTP/HTTPS	Proxy, web apps, management consoles

Exam Tip: Unexpected outbound traffic on ports like 4444 (Meterpreter default), 8080, or high random ports can indicate C2 communication. Always investigate DNS over non-standard ports (e.g., TCP 443 for DoH) and large volume DNS TXT queries (possible DNS tunneling).

Quick Reference: Useful CLI Commands for SOC Analysts

Command	OS	Purpose
`netstat -anob`	Windows	Active connections with process names and PIDs
`ss -tulnp`	Linux	Listening sockets with process info
`wmic process list full`	Windows	Detailed running process list
`ps auxf`	Linux	Process tree with user context
`Get-WinEvent -LogName Security -MaxEvents 50`	PowerShell	Recent Windows Security events
`journalctl -u sshd --since "1 hour ago"`	Linux	Recent SSH daemon logs (systemd)
`certutil -hashfile file.exe SHA256`	Windows	Generate file hash for IoC comparison
`sha256sum file`	Linux	Generate file hash for IoC comparison
`nslookup / dig`	Both	DNS resolution and record queries
`tcpdump -i eth0 -w capture.pcap`	Linux	Capture network traffic to file for analysis

312-75

CSA - Certified SOC Analyst

CSA Practice Exam 1

CSA Practice Exam 2

CSA Practice Exam 3

CSA Practice Exam 4

CSA Practice Exam 5

CSA Practice Exam 6

Unlock All Content for 312-75

Preview (10 / 120)

Flash Cards

Available Languages

Exam Topics

312-75 Cheat Sheet

CSA 312-75 Exam Details

Domain Weight Breakdown

About the CSA Certification

SOC Tier Structure

SOC Models

Core SOC Tools

SOC KPIs & Metrics

SOC Workflow: Alert Lifecycle

Critical Windows Event IDs

Linux Log Locations

Syslog Protocol

SIEM Architecture & Deployment

Common SIEM Correlation Rules

Splunk SPL Quick Reference

ELK Stack Components

Alert Triage Process

Wireshark Display Filters

Snort Rule Syntax

MITRE ATT&CK Framework Mapping

Malware Indicators & Phishing Analysis

Threat Hunting Concepts

NIST Incident Response Lifecycle (SP 800-61)

SANS Incident Response Steps (PICERL)

Containment Strategies

Evidence Collection & Chain of Custody

Threat Intelligence Types

Threat Intelligence Feeds & IoC Management

Incident Reporting

SIEM Solutions Comparison

IDS vs IPS

SIEM vs SOAR vs XDR

Network Analysis Tools

Firewall Log Key Fields

Common Ports & Protocols for SOC Analysts

Quick Reference: Useful CLI Commands for SOC Analysts