CSA (312-39) SOC Simulation Lab

This lab explores raw network device log analysis. You will evaluate command-line interface (CLI) tools used by analysts to parse through high-velocity data streams directly on infrastructure hardware.

Scenario Context

You are a SOC Analyst at Spade Systems. Over the last 15 minutes, users have reported intermittent access drops to the internal finance server (10.0.40.22). SIEM log ingestion from the core network is currently delayed by 5 minutes due to an ingestion pipeline queue. To get immediate situational awareness, you SSH directly into the core Cisco IOS router. The logging buffer is overflowing with noisy routing updates, NAT translations, and general system messages. You suspect ACL 210 is dropping the traffic.

Security Environment

Current logging buffer state on Core-Router-01 (Output of raw show logging without filters):

Apr 8 14:41:02.115: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on GigabitEthernet0/0 from FULL to DOWN Apr 8 14:41:02.321: %SEC-6-IPACCESSLOGP: list 210 denied tcp 192.168.10.55(54321) -> 10.0.40.22(443), 1 packet Apr 8 14:41:03.001: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.5) Apr 8 14:41:03.455: %NAT-6-CREATED: tcp 192.168.10.55:54321 198.51.100.12:443 203.0.113.88:443 Apr 8 14:41:04.112: %SEC-6-IPACCESSLOGP: list 210 denied tcp 192.168.10.12(61200) -> 10.0.40.22(443), 1 packet Apr 8 14:41:04.882: %BGP-5-ADJCHANGE: neighbor 172.16.0.1 Up ... [Output truncated: 5,432 more lines in buffer] ...

SOC Note: Issuing a bare show logging will flood your terminal. You must filter the output string locally on the router to only view entries generated by "210".

Question

Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210.

What filter should Peter add to the 'show logging' command to get the required output?
SOC Hint: Think about the standard Linux command grep. Which Cisco IOS keyword acts identically to grep by matching a specific string pattern within the piped output?

Expert Insight

What is happening in the SOC?

During a live incident, SIEM pipelines can occasionally experience lag, or you may need to verify the ground truth directly on the infrastructure. By jumping directly onto the core router (likely running Cisco IOS or a similar NOS), you are bypassing the SIEM entirely. Because network devices generate immense volumes of telemetry, printing the entire buffer is useless. You must use CLI text processing—specifically piping (|)—to filter the noise down to the exact Access Control List (ACL 210) causing the drops.

Why the answer is C (include)

In standard network operating systems like Cisco IOS, the pipe operator (|) directs the output of a command into a text filter. The keyword include is the direct equivalent of the Linux grep command. By typing show logging | include 210, the router will parse the memory buffer and only print lines to your terminal screen that explicitly contain the string "210".

Why the other options are incorrect
  • A, B, and D: access, forward, and route are not valid text-filtering arguments for the pipe operator in this context. While these are network terms, they are used for routing protocols or interface configuration, not for parsing standard output streams.
MINI LESSON: Cross-Platform CLI Filtering

As a SOC Analyst, you will jump between many different operating systems. You must know the local text-filtering syntax for each. They all achieve the exact same goal: pattern matching.

  • Cisco IOS: show logging | include [string]
  • Linux/Unix: cat /var/log/syslog | grep [string]
  • Windows CMD: type log.txt | findstr [string]
  • PowerShell: Get-Content log.txt | Select-String [string]

Want to master more SOC investigations?

Explore more CSA simulations by ExamRange