Log Analysis PBQs: Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)
easyQuestion 1 of 3
You are a network security engineer reviewing Cisco ASA firewall logs after a policy compliance scan flagged an anomaly. The automated threat intelligence feed identified an outbound connection attempt from an internal workstation to an IP address categorized as malicious. Pull up the event log in your monitoring console, flag all entries related to the policy violation, and classify the incident.
Objectives
- •Review the Cisco ASA firewall logs for policy violation alerts
- •Flag all entries related to the unauthorized outbound connection attempts to the malicious IP
- •Classify the type of security incident
- •Identify the internal host attempting the suspicious outbound connection
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 09:00:05 | INFO | firewall | ASA-6-302013: Built outbound TCP connection 148231 for outside:93.184.216.34/443 from inside:10.10.1.45/52100 | |
| 09:01:30 | INFO | auth | Successful VPN login: rjohnson from 192.168.50.12 via AnyConnect | |
| 09:03:00 | INFO | system | ASA-6-199002: Startup: PIX/ASA initialization complete, version 9.18(1) | |
| 09:05:22 | WARN | firewall | ASA-4-733100: Threat detection rate exceeded: outbound connection from 10.10.1.112 to 203.0.113.200:443 -- IP in malicious category (C2-known) | |
| 09:05:25 | ALERT | firewall | ASA-2-106001: Outbound TCP connection DENIED from 10.10.1.112/49331 to 203.0.113.200/443 -- threat intelligence block (malicious-ip category) | |
| 09:05:30 | INFO | web | 200 GET /intranet/dashboard from 10.10.1.45 (internal portal) | |
| 09:06:10 | WARN | firewall | ASA-4-733100: Repeat connection attempt from 10.10.1.112 to 203.0.113.200:443 -- blocked by threat intelligence policy | |
| 09:07:00 | INFO | system | ASA-6-302014: Teardown TCP connection 148231 for outside:93.184.216.34/443 from inside:10.10.1.45/52100 duration 0:06:55 | |
| 09:08:15 | ALERT | firewall | ASA-2-106001: Outbound TCP connection DENIED from 10.10.1.112/49340 to 203.0.113.200/8443 -- threat intelligence block (malicious-ip category) | |
| 09:09:00 | INFO | auth | Successful login: admin from 10.10.1.5 to ASA management console via HTTPS | |
| 09:10:30 | INFO | web | 200 GET /api/health from 10.0.0.5 (monitoring probe) | |
| 09:11:00 | INFO | system | ASA-6-305011: NAT translation built for inside:10.10.1.45 to outside:198.18.0.45 |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 7 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete