Certified SOC Analyst (CSA) — Question 86

John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints.
Which of following Splunk query will help him to fetch related logs associated with process creation?

Answer options

• A. index=windows LogName=Security EventCode=4678 NOT (Account_Name=*$) .. .. ... ..
• B. index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) .. .. ..
• C. index=windows LogName=Security EventCode=3688 NOT (Account_Name=*$) .. .. ..
• D. index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) ... ... ...

Correct answer: B

Explanation

The correct answer is B because EventCode 4688 specifically logs process creation events in Windows. The other options reference different event codes that do not pertain to process creation, making them invalid for this purpose.