Log Analysis PBQs: CompTIA SecurityX (CAS-005)
easyQuestion 1 of 3
Your enterprise SOC has received an automated alert from the SIEM: a credential stuffing campaign is targeting your public-facing authentication portal. The attack uses leaked credentials from a recent third-party breach. Multiple user accounts are being targeted from several distributed external IPs. Review the authentication and IDS logs, flag all entries related to the credential stuffing activity, and classify the incident.
Objectives
- •Review the authentication and IDS logs for credential stuffing indicators
- •Flag all log entries related to the distributed login attack
- •Classify the type of security incident
- •Identify the primary attacker source IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 11:00:00 | INFO | auth | Successful login: admin-svc from 10.0.0.3 -- service account for scheduled tasks | |
| 11:02:15 | WARN | auth | Failed login: bwilliams from 192.0.2.10 -- invalid password | |
| 11:02:22 | WARN | auth | Failed login: akim from 203.0.113.40 -- invalid password | |
| 11:03:00 | INFO | web | 200 GET /portal/dashboard from 192.168.1.50 -- employee access | |
| 11:03:15 | WARN | auth | Failed login: lnguyen from 198.51.100.25 -- invalid password | |
| 11:04:00 | ALERT | ids | Credential stuffing pattern: 5 failed logins across 3 unique accounts from 3 external IPs in 105 seconds | |
| 11:04:30 | INFO | system | Certificate auto-renewal completed for portal.corp.local | |
| 11:05:00 | INFO | auth | Successful login: jdoe from 192.168.1.35 -- internal workstation | |
| 11:05:30 | INFO | web | 200 GET /api/health from 10.0.0.5 (monitoring) | |
| 11:06:00 | ALERT | auth | Account lockout triggered: bwilliams -- 5 consecutive failures from distributed IPs | |
| 11:08:00 | INFO | system | Scheduled backup started: database-daily-snapshot | |
| 11:10:00 | INFO | web | 200 GET /intranet/wiki from 192.168.1.50 | |
| 11:12:00 | INFO | auth | Successful login: mwilson from 192.168.1.42 -- VPN connection |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete