Question

A security analyst receives a SIEM alert that someone logged in to the appadmin test account,

which is only used for the early detection of attacks. The security analyst then reviews the following
application log:
Which of the following can the security analyst conclude?
A. A replay attack is being conducted against the application.
B. An injection attack is being conducted against a user authentication system.
C. A service account password may have been changed, resulting in continuous failed logins within the application.
D. A credentialed vulnerability scanner attack is testing several CVEs against the application.

Answer 1

The security analyst must investigate the application log further to determine exactly which type of threat is being identified by the SIEM alert involving the test account. Without more details, any of the presented options could be plausible. Closer analysis is needed to confirm the nature of the activity.

Step-by-step explanation:

Based on the scenario provided, where a security analyst receives a SIEM alert for a login to a test account used for early detection of attacks, the analyst can conclude the following options:

• A replay attack is being conducted against the application.
• An injection attack is being conducted against a user authentication system.
• A service account password may have been changed, resulting in continuous failed logins within the application.
• A credentialed vulnerability scanner attack is testing several CVEs against the application.

Without further details on the application log, it is not possible to definitively determine which of the aforementioned options is occurring. However, the fact that the test account is involved suggests some form of testing or probing for weaknesses. Therefore, the analyst would typically investigate further to identify the specific nature of the suspicious activity, thereby confirming the type of attack or issue.