Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA CAS-005 Exam - Topic 4 Question 16 Discussion

Actual exam question for CompTIA's CAS-005 exam
Question #: 16
Topic #: 4
[All CAS-005 Questions]

[Security Operations]

A company'sSIEMis designed to associate the company'sasset inventorywith user events. Given the following report:

Which of thefollowing should asecurity engineer investigate firstas part of alog audit?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There's no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.


CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis

MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise

by Carli at Jul 04, 2025, 05:54 AM

Limited Time Offer

25%

Off

Get Premium CAS-005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Miles
4 months ago
Lateral movement is super concerning, but admin access is priority.
upvoted 0 times
...
Ressie
4 months ago
Surprised that endpoint logs matter less than admin attempts. Seems off.
upvoted 0 times
...
Lucy
4 months ago
I think the misconfigured syslog server could be a major issue too.
upvoted 0 times
...
Ozell
4 months ago
I’d check the endpoint first. No logs means something’s wrong!
upvoted 0 times
...
Kate
5 months ago
Definitely the unauthorized usage attempts! That's a big red flag.
upvoted 0 times
...
Delpha
5 months ago
I’m leaning towards option A because if an endpoint isn’t submitting logs, it could indicate a bigger issue, but I’m not completely confident about that.
upvoted 0 times
...
Cassi
5 months ago
I think we practiced a similar question where lateral movement was a key indicator of a breach. So, option B could be a priority to investigate first.
upvoted 0 times
...
Kara
5 months ago
I'm not entirely sure, but I feel like a misconfigured syslog server could lead to missing critical logs, which makes option C a strong contender too.
upvoted 0 times
...
Yvonne
5 months ago
I remember we discussed the importance of checking for unauthorized access attempts, so I think option D might be the right choice.
upvoted 0 times
...
Catarina
6 months ago
Ah, this is a tricky one. I'll need to consider the context of the SIEM system and the company's asset inventory to decide which option is the most appropriate first step in the investigation.
upvoted 0 times
...
Willetta
6 months ago
The key here is to identify the most urgent security concern based on the information provided. I'll start by looking for any signs of unauthorized access or lateral movement within the network.
upvoted 0 times
...
Lashonda
6 months ago
Hmm, I'm a bit unsure here. The question is asking about what to investigate first, so I'll need to carefully review the report and options to determine the most critical issue.
upvoted 0 times
...
Gail
6 months ago
This looks like a straightforward SIEM log analysis question. I'll focus on identifying any anomalies or potential security incidents first.
upvoted 0 times
...
Cathrine
8 months ago
Haha, I bet the syslog server is just having a bad day. Maybe it's running on a toaster or something. Time to upgrade the kitchen appliances!
upvoted 0 times
...
Jamey
8 months ago
Unauthorized usage of the admin account? That's a serious security breach waiting to happen. We better investigate that one pronto!
upvoted 0 times
...
Bernardo
8 months ago
That's a valid point, we should consider both options and prioritize based on the severity of the threat.
upvoted 0 times
...
Ivan
8 months ago
A misconfigured syslog server creating false negatives? That's just asking for trouble. We need to make sure our logging is accurate and reliable.
upvoted 0 times
Wilda
7 months ago
Let's prioritize fixing that issue to ensure our logging is accurate.
upvoted 0 times
...
Marta
7 months ago
Agreed, false negatives could lead to missed security incidents.
upvoted 0 times
...
Loise
7 months ago
We should definitely investigate the misconfigured syslog server first.
upvoted 0 times
...
...
Deonna
9 months ago
But what about the potential attacker moving laterally in the network? Shouldn't we look into that as well?
upvoted 0 times
...
Ilene
9 months ago
I agree with Bernardo, that could indicate a bigger issue.
upvoted 0 times
...
Natalie
9 months ago
Lateral movement by an attacker? That's definitely a red flag we need to look into right away. Can't let them gain a foothold in the network.
upvoted 0 times
Norah
8 months ago
Let's make sure to address both the lateral movement and unauthorized usage attempts to secure the network.
upvoted 0 times
...
Ryan
9 months ago
I think unauthorized usage attempts of the administrator account is also a critical issue that needs immediate attention.
upvoted 0 times
...
Stephanie
9 months ago
Agreed, we should prioritize investigating potential lateral movement by the attacker.
upvoted 0 times
...
...
Bernardo
9 months ago
I think we should investigate the endpoint not submitting logs first.
upvoted 0 times
...
Cristen
9 months ago
The endpoint not submitting logs sounds like the most pressing issue. How can we monitor the environment if we're missing data?
upvoted 0 times
Arleen
9 months ago
Let's prioritize fixing that issue to ensure we have full visibility into our environment.
upvoted 0 times
...
Walker
9 months ago
Agreed, that could be a major security gap in our monitoring.
upvoted 0 times
...
Iola
9 months ago
We should definitely investigate the endpoint not submitting logs first.
upvoted 0 times
...
...

Save Cancel