312-39 Question #19: Real Exam Question with Answer & Explanation

Question

Options

• ADefine response actions for detected incidents before writing the rules
• BDefine correlation rules and conditions that detect specific privilege escalation patterns
• CImplement and test the use case immediately in the production SIEM environment
• DCollect historical security logs to confirm the use case is necessary

Explanation

Once the event sources are validated, the next logical step is to define the detection logic- correlation rules and conditions that represent privilege escalation patterns. In SOC engineering, validated sources mean you have the raw ingredients; now you must specify what “bad” looks like in those logs. For privilege escalation on Windows, this might include abnormal group membership changes, creation of new privileged accounts, suspicious privilege assignment events, UAC bypass indicators, or admin logons from non-admin workstations. Defining correlation rules also includes setting time windows, selecting strong pivots (account, host, SID), and incorporating context to reduce noise (approved admin accounts, maintenance windows, known tooling). Defining response actions is important, but it should follow detection logic so you don’t automate reactions to unstable or noisy detections. Testing immediately in production is risky; best practice is to test in a controlled manner or pilot mode first to avoid operational disruption and excessive false positives. Collecting historical logs can help tune baselines, but the scenario states sources are already validated; the next step is to codify the conditions that detect the targeted behavior.

No community discussion yet for this question.