CertNova
Menu
← Back to PBQ types

Log Analysis PBQs: CompTIA Cyber Security Analyst (CS0-003)

easy

Question 1 of 3

You are a SOC analyst performing morning triage at the start of your shift. Your Web Application Firewall (WAF) and IDS generated several alerts overnight related to a public-facing web application. The overnight team flagged possible SQL injection attempts. Review the SIEM log entries, flag all entries related to the SQL injection activity, and classify the incident.

Objectives

  • Review the SIEM log for web application attack indicators
  • Flag all log entries related to the SQL injection attempts
  • Classify the type of security incident
  • Identify the attacker's source IP address
  • Recommend the most appropriate immediate response action

Security Event Log

FlagTimeSeveritySourceMessage
03:10:00INFOweb200 GET /products?category=electronics from 192.168.1.30
03:12:15INFOweb200 GET /api/health from 10.0.0.5 (monitoring)
03:15:30WARNidsSQL injection attempt detected: GET /products?category=electronics' OR '1'='1 from 203.0.113.50
03:15:32ALERTwebWAF BLOCK: SQL injection pattern in query string from 203.0.113.50 -- rule: sqli-generic-01
03:16:45WARNdatabaseSQL syntax error on products_db: unexpected token near 'UNION SELECT' -- query from app-server-01
03:17:10INFOweb200 POST /api/login from 192.168.1.45 -- successful authentication
03:18:00INFOsystemScheduled log rotation completed on web-server-01
03:20:00INFOweb200 GET /images/logo.png from 192.168.1.30
03:22:30ALERTidsRepeated SQL injection attempts: 4 blocked requests from 203.0.113.50 in 7 minutes
03:25:00INFOweb200 GET /about from 192.168.1.30
03:28:00INFOsystemAutomated certificate renewal check: all certificates valid
03:30:00INFOweb200 GET /products?category=clothing from 192.168.1.45

12 total entries. Click a row or use checkboxes to flag suspicious events.

Incident Analysis

Progress

0 of 7 items correct

Flag suspicious entries and answer the incident questions

0 of 3 marked complete