Cybersecurity Exercise #1

Exercise · Log Triage (Auth + Endpoint Anomalies)

SOC · English

Read the logs, identify what looks suspicious, and explain your reasoning in clear English. Then deliver a short spoken triage report: What happened → Why it matters → What to do next.

Training dataset: These logs are fictional and safe. They mimic common formats (web access + auth + WAF-style events) so students can practice analysis and spoken reporting.

Choose a case

Tip: start with “What stands out?” then “What’s the most likely explanation?”

Logs (read-only)

Case 1

Your analysis (write 4 short bullets)

Spoken Report Builder 60–90 seconds

Use this structure: Summary → Evidence → Impact → Next steps

Draft your spoken report

Challenge: include at least 3 modal verbs (should / might / could / must).

🎯 Instructions (Oral) task flow

Select a case and read the logs from top to bottom once without stopping.
Click Highlight suspicious lines to see what the system flags (don’t rely on it 100%).
Write 4 bullets: What happened → Evidence → Impact → Next steps.
Deliver a 60–90 second spoken report using Summary → Evidence → Impact → Next steps.
Use modal verbs to sound professional: should, might, could, must, may.

📖 Vocabulary definitions

authentication — verifying a user’s identity (e.g., password + MFA).
authorization — confirming what an authenticated user is allowed to do.
failed login — an unsuccessful attempt to sign in.
brute-force attack — repeated guesses of passwords or tokens until one works.
account takeover (ATO) — unauthorized control of a user account.
token — a credential used to access APIs (often short-lived).
anomaly — behavior that deviates from normal patterns.
indicator (IOC) — a clue suggesting suspicious activity (IP, user-agent, endpoint, etc.).
rate limiting — restricting how many requests can happen in a time window.
WAF — web application firewall that blocks suspicious web requests.

🧩 Collocations natural pairings

detect anomalous activity / flag suspicious requests
trigger an alert / generate an incident ticket
observe repeated failures / correlate events across logs
confirm a compromise / rule out false positives
rotate credentials / revoke tokens
block an IP / throttle requests / enforce MFA

🗣️ Idioms, Phrasal Verbs, and Useful Phrases spoken English

stand out — “A few lines really stand out.”
line up — “The timestamps line up with the alert.”
point to — “This points to a credential-stuffing attempt.”
rule out — “We should rule out a misconfigured script.”
lock down — “We need to lock down the admin endpoint.”
on the safe side — “To be on the safe side, revoke the token.”
at a glance — “At a glance, this looks automated.”
working theory — “My working theory is that the account was targeted.”

🎤 Model Answer (spoken style) example

Spoken triage report (example):

“Summary: We are seeing multiple failed login attempts against a single user account, followed by a successful login from a new location. This might indicate credential stuffing or a brute-force attempt that eventually succeeded.

Evidence: The logs show repeated 401 Unauthorized responses over a short window, a consistent user-agent that looks automated, and then a 200 OK login event from the same source IP. Shortly after, there are requests to sensitive endpoints like /api/export.

Impact: If this is a real account takeover, the attacker could access data and export records. That would affect confidentiality and possibly compliance.

Next steps: We should reset the user’s password, enforce MFA, and review recent sessions. We must revoke active tokens and consider temporary rate limiting or blocking the source IP. We also should check whether other accounts were targeted using the same pattern.”