Log Analysis PBQs: CISSP - Certified Information Systems Security Professional
easyQuestion 1 of 3
You are the security operations manager conducting a morning review of overnight SIEM alerts. The access control system flagged an anomaly: a low-privilege employee account authenticated to a restricted financial reporting system after normal business hours. Physical access logs show badge-in activity at the same time. Review the consolidated access control and authentication events, flag all entries related to the unauthorized access, and provide an initial incident classification.
Objectives
- •Review the access control and authentication log for after-hours unauthorized activity
- •Flag all entries related to the unauthorized access attempt including badge access, login, and privilege escalation
- •Classify the type of security incident
- •Identify the user account involved in the suspicious activity
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 17:30:00 | INFO | auth | Successful logout: finance_analyst1 from FINRPT-SRV01 (end of business session) | |
| 17:45:00 | INFO | system | Scheduled maintenance: nightly backup job started on FINRPT-SRV01 | |
| 22:15:30 | WARN | auth | After-hours badge scan: employee jmorales (Help Desk, Level 1) at Building B, Server Room entrance -- outside approved schedule | |
| 22:16:45 | WARN | auth | After-hours login: jmorales authenticated to FINRPT-SRV01 via RDP from workstation 10.20.5.88 -- account has no financial system access | |
| 22:17:30 | ALERT | auth | Access control violation: jmorales attempted to access restricted share \\FINRPT-SRV01\Q1-Reports -- permission denied (insufficient privileges) | |
| 22:18:00 | INFO | system | Nightly backup job completed successfully on FINRPT-SRV01 | |
| 22:19:15 | ALERT | auth | Privilege escalation attempt: jmorales ran 'net localgroup administrators jmorales /add' on FINRPT-SRV01 -- command failed (insufficient rights) | |
| 22:20:00 | INFO | web | 200 GET /intranet/portal from 10.20.5.88 | |
| 22:21:30 | WARN | auth | Multiple access denied events: jmorales attempted to open 3 restricted directories on FINRPT-SRV01 within 2 minutes | |
| 22:23:00 | INFO | system | Antivirus scan completed: 0 threats found on FINRPT-SRV01 | |
| 22:25:00 | INFO | auth | Logout: jmorales disconnected from FINRPT-SRV01 RDP session | |
| 22:26:00 | WARN | auth | After-hours badge scan: employee jmorales exited Building B, Server Room -- total time in restricted area: 10 minutes | |
| 23:00:00 | INFO | system | Scheduled log rotation completed on SIEM collector |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete