Log Analysis PBQs: Systems Security Certified Practitioner (SSCP)
easyQuestion 1 of 3
You are a systems security practitioner performing daily endpoint monitoring. The host-based intrusion detection system (HIDS) on a critical server has generated alerts indicating a process execution matching a known malware signature. Your supervisor asks you to review the HIDS and system logs, flag all entries related to the malware activity, and classify the incident for the initial response report.
Objectives
- •Review the HIDS and system logs for malware-related activity on the server
- •Flag all entries showing malware detection, file creation, registry modification, and outbound connection attempts
- •Classify the type of security incident
- •Identify the affected host IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 06:00:00 | INFO | system | System boot completed: SRV-HR-01 (10.20.3.40) started all services successfully | |
| 06:05:00 | INFO | auth | Successful login: svc-monitor from 10.0.0.5 via SSH key (automated monitoring agent) | |
| 06:30:15 | ALERT | ids | HIDS alert: process svchost32.exe (PID 2847) matches malware signature Trojan.Downloader.GenX on SRV-HR-01 | |
| 06:30:20 | WARN | endpoint | Suspicious file created: C:\Windows\Temp\svchost32.exe on SRV-HR-01 (size: 128 KB, unsigned binary) | |
| 06:30:30 | WARN | endpoint | Registry modification: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- new value 'WindowsHealthSvc' pointing to C:\Windows\Temp\svchost32.exe | |
| 06:31:00 | INFO | system | Scheduled task: daily disk usage report generated on SRV-HR-01 | |
| 06:31:30 | ALERT | ids | HIDS alert: svchost32.exe (PID 2847) attempting outbound connection to 203.0.113.99:8443 -- blocked by host firewall | |
| 06:32:00 | INFO | web | 200 GET /intranet/portal from 192.168.1.30 (employee workstation) | |
| 06:33:00 | INFO | auth | Successful login: hr_analyst from 192.168.1.30 to SRV-HR-01 via RDP | |
| 06:34:00 | INFO | system | Windows Event Log service: log rotation completed for Security.evtx on SRV-HR-01 | |
| 06:35:00 | WARN | ids | HIDS alert: svchost32.exe spawned child process cmd.exe on SRV-HR-01 -- unusual process tree | |
| 06:36:00 | INFO | system | Antivirus definition update: signatures updated to version 2026.04.28.001 on SRV-HR-01 |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete