A company has noticed unusual activity on their network and has started an investigation. As a security analyst, you are reviewing logs from various endpoints to identify the source of the activity. Which of the following log entries would likely indicate a security incident in progress?
Repeated login failures from a single source, followed by a successful login to an administrative account.
Scheduled system updates being applied outside of office hours.
Periodic security scanning by the in-house vulnerability management tool.
A single successful login to a user account during working hours.
Endpoint logs provide invaluable information regarding the activities occurring on individual systems. In this case, repeated login failures followed by a successful login often indicate a brute force attack, where an attacker has repeatedly attempted to log in using different passwords until the correct one is found. This is a common indication of a compromised account, which is why the answer detailing this pattern is correct. The other answers describe events that may be ordinary and not indicative of a security incident, such as a single successful login, periodic security scanning, or regular system updates.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a brute force attack?
Open an interactive chat with Bash
What should I look for in endpoint logs to identify potential security incidents?
Open an interactive chat with Bash
Why do system updates being applied outside of office hours raise concerns?