Log Analysis PBQs: CompTIA Security+ (SY0-701)
mediumQuestion 1 of 3
You are a security analyst reviewing overnight logs in your organization's SIEM dashboard. The overnight shift left a note saying they noticed unusual authentication activity starting around 02:30 UTC. Review the security event log, flag all entries related to the suspicious activity, and classify the incident.
Objectives
- •Review the security event log for suspicious activity starting around 02:30 UTC
- •Flag all log entries related to the attack
- •Classify the type of security incident
- •Identify the attacker's source IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 02:15:00 | INFO | web | 200 GET /index.html from 192.168.1.50 | |
| 02:28:00 | INFO | auth | Successful login: jsmith from 192.168.1.42 | |
| 02:31:12 | WARN | auth | Failed login: admin from 203.0.113.45 — invalid password (attempt 1) | |
| 02:31:15 | WARN | auth | Failed login: admin from 203.0.113.45 — invalid password (attempt 2) | |
| 02:31:18 | WARN | auth | Failed login: admin from 203.0.113.45 — invalid password (attempt 3) | |
| 02:31:21 | WARN | auth | Failed login: admin from 203.0.113.45 — invalid password (attempt 4) | |
| 02:31:24 | ALERT | auth | Failed login: admin from 203.0.113.45 — invalid password (attempt 5) | |
| 02:31:25 | ALERT | auth | Account lockout triggered: admin — 5 consecutive failures from 203.0.113.45 | |
| 02:31:30 | ALERT | ids | Brute-force signature matched: 5 failed logins in 18s from 203.0.113.45 | |
| 02:32:01 | WARN | auth | Failed login: root from 203.0.113.45 — account does not exist | |
| 02:32:04 | WARN | auth | Failed login: administrator from 203.0.113.45 — account does not exist | |
| 02:32:10 | ALERT | firewall | Rate limit triggered: 203.0.113.45 exceeded 10 requests/min on port 22 | |
| 02:33:00 | INFO | system | Scheduled backup started: /data/nightly-backup.tar.gz | |
| 02:35:00 | INFO | web | 200 GET /api/health from 10.0.0.5 (monitoring) | |
| 02:40:00 | INFO | system | Scheduled backup completed successfully |
15 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 13 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete