ExamRange – CSA 312-39 Simulation

Scenario Context

You are mentoring Jannet, a junior SOC analyst at a multinational corporation. The company recently underwent an aggressive M&A (Mergers and Acquisitions) phase, absorbing multiple IT environments.

Currently, the SOC's Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) are severely lagging. When an incident occurs, Jannet's team has to write 5 to 6 different query variations in the SIEM just to track a single threat actor's lateral movement because every vendor logs IP addresses and user actions differently. They are stuck doing manual mapping instead of actual threat hunting.

Security Environment

Below is a sample of the raw telemetry hitting the SIEM for a single incident where a user authenticated and then had traffic blocked by a firewall. Notice the schema discrepancies:

// Log Source 1: AWS CloudTrail (JSON) {"eventSource": "signin.amazonaws.com", "sourceIPAddress": "198.51.100.22", "userIdentity": {"userName": "jsmith"}} // Log Source 2: Windows Security Event 4624 (XML-derived) EventID: 4624 IpAddress: 198.51.100.22 TargetUserName: jsmith // Log Source 3: Palo Alto Firewall (Syslog/CSV format) 1,2023/10/24 10:00:00,00123A,TRAFFIC,drop,1,198.51.100.22,10.0.0.5,jsmith@domain.local...

The SIEM currently treats these as entirely distinct field names, breaking correlation rules that rely on a single 'source IP' or 'user' parameter.

Question

Jannet works in a multinational corporation that operates multiple data centers, cloud environments, and on-premises systems as a SOC analyst, she notices that security incidents are taking too long to detect and investigate. After analyzing this, she discovers that logs from firewalls, endpoint security solutions, authentication servers, and cloud applications are scattered across different systems in various formats hence her team has to manually convert logs into a readable format before investigating incidents. What approach should she implement to enable accepting the logs from heterogeneous sources with different formats and converting them into common format and improving incident detection and response time?

SOC Hint: Look at the logs above. We have sourceIPAddress, IpAddress, and a raw comma-separated value. What is the specific term used when a SIEM maps all these disparate vendor fields into a single, standardized schema (like Elastic ECS or Splunk CIM)?

Expert Insight: Senior Analyst Review

Let's look at this from a Tier 3 perspective. Jannet's problem is one of the most common pitfalls in modern Security Operations Centers: Schema fragmentation.

Why D (Log Normalization) is Correct

Log Normalization is the explicit process of taking disparate log formats and mapping them to a common schema. In the real world, this means ensuring that AWS's sourceIPAddress, Windows' IpAddress, and Palo Alto's src all get mapped to a universal field—for example, src_ip. When logs are normalized, an analyst can run a single query like src_ip="198.51.100.22" and see the user's journey across the firewall, the cloud, and the endpoint instantly. This drastically reduces MTTR.

Why the Others are Incorrect

A. Log transformation: This is a broader term that refers to altering data (e.g., masking PII, dropping noisy fields, converting timestamps). While normalization is a *type* of transformation, "normalization" is the specific industry term for converting heterogeneous schemas into a common baseline for SIEM analysis.
B. Log correlation: This is what you do after normalization. You cannot effectively correlate events (e.g., finding a Brute Force attack followed by a VPN Login) if the SIEM doesn't understand that the "user" field in the brute force log is the same entity as the "SubjectUserName" in the VPN log.
C. Log collection: This is simply the transport mechanism (agents, Syslog receivers, API pulls) getting the raw data into the SIEM. It does nothing to make the data readable or consistent.

MINI LESSON: The SIEM Data Pipeline

As a SOC analyst, you must understand the exact lifecycle of a log before you write a detection rule. If your rule isn't firing, it usually broke at one of these stages:

Collection: Pulling the log via WMI, Syslog, or API.
Parsing: Breaking the raw string into key-value pairs using RegEx or JSON parsers.
Normalization (The Answer): Mapping parsed keys to a framework (like Splunk CIM, Elastic ECS, or Microsoft ASIM).
Enrichment: Adding context (e.g., matching the IP to a GeoIP database or Threat Intel feed).
Correlation: Writing logic that says "If Event A and Event B happen within 5 minutes, trigger an alert."

Pro Tip: Never write correlation rules against raw vendor fields if your SIEM supports normalization. If you write a rule looking for TargetUserName and the company switches from Windows AD to Okta tomorrow, your rule breaks. If you write it against a normalized user field, your rule survives the vendor swap.