Log Analysis PBQs: Understanding Cisco Cybersecurity Operations Fundamentals (200-201)
easyQuestion 1 of 3
You are a Tier 1 SOC analyst at a mid-size enterprise. Your IDS console has flagged several alerts over the past 20 minutes from an external IP targeting your DMZ web server. Your shift lead asks you to pull up the consolidated event log in the SIEM, flag all entries related to the scanning activity, and provide an initial classification so the incident can be triaged.
Objectives
- •Review the SIEM event log for scanning activity targeting the DMZ web server
- •Flag all log entries associated with the port scan reconnaissance
- •Classify the type of security incident
- •Identify the attacker's source IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 14:00:05 | INFO | web | 200 GET /index.html from 192.168.10.25 | |
| 14:01:12 | INFO | system | Cron job executed: /etc/cron.daily/logrotate completed successfully | |
| 14:02:00 | INFO | auth | Successful login: svc-monitor from 10.0.0.5 via SSH key authentication | |
| 14:03:45 | ALERT | ids | Port sweep signature matched: sequential SYN scan from 203.0.113.18 across 5+ ports on 10.0.1.50 | |
| 14:04:00 | INFO | firewall | ALLOW TCP 192.168.10.25:49812 -> 10.0.1.50:443 (established session) | |
| 14:04:10 | INFO | web | 200 GET /api/health from 10.0.0.5 (monitoring probe) | |
| 14:04:22 | WARN | firewall | DENY TCP 203.0.113.18:52341 -> 10.0.1.50:3389 (RDP) -- policy violation | |
| 14:04:30 | INFO | web | 200 POST /api/reports from 192.168.10.25 (internal user request) | |
| 14:04:45 | INFO | system | Disk usage check: /var/log at 68% capacity (threshold 85%) | |
| 14:05:01 | ALERT | firewall | Rate limit triggered: 203.0.113.18 exceeded 15 connection attempts/min to 10.0.1.50 | |
| 14:05:30 | WARN | ids | Follow-up probe: 203.0.113.18 attempting service version detection on 10.0.1.50:443 after initial port sweep | |
| 14:06:00 | INFO | auth | Successful login: webadmin from 192.168.10.10 to management console | |
| 14:07:00 | INFO | system | Scheduled backup started: /data/nightly-backup.tar.gz |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 7 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete