CompTIA CAS-005 Exam - Topic 4 Question 16 Discussion

Actual exam question for CompTIA's CAS-005 exam

Question #: 16
Topic #: 4

[All CAS-005 Questions]

[Security Operations]

A company'sSIEMis designed to associate the company'sasset inventorywith user events. Given the following report:

Which of thefollowing should asecurity engineer investigate firstas part of alog audit?

AAnendpointthat is not submitting any logs

BPotential activity indicating an attackermoving laterally in the network

CAmisconfigured syslog servercreating false negatives

DUnauthorized usage attempts of the administrator account

Show Suggested Answer

Suggested Answer: D

Comprehensive and Detailed

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There's no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis

MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise

by Carli at Jul 04, 2025, 05:54 AM

Limited Time Offer

25%

Off

Get Premium CAS-005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Miles

2 months ago

Lateral movement is super concerning, but admin access is priority.

upvoted 0 times

...

Ressie

2 months ago

Surprised that endpoint logs matter less than admin attempts. Seems off.

upvoted 0 times

...

Lucy

3 months ago

I think the misconfigured syslog server could be a major issue too.

upvoted 0 times

...

Ozell

3 months ago

I’d check the endpoint first. No logs means something’s wrong!

upvoted 0 times

...

Kate

3 months ago

Definitely the unauthorized usage attempts! That's a big red flag.

upvoted 0 times

...

Delpha

3 months ago

I’m leaning towards option A because if an endpoint isn’t submitting logs, it could indicate a bigger issue, but I’m not completely confident about that.

upvoted 0 times

...

Cassi

4 months ago

I think we practiced a similar question where lateral movement was a key indicator of a breach. So, option B could be a priority to investigate first.

upvoted 0 times

...

Kara

4 months ago

I'm not entirely sure, but I feel like a misconfigured syslog server could lead to missing critical logs, which makes option C a strong contender too.

upvoted 0 times

...

Yvonne

4 months ago

I remember we discussed the importance of checking for unauthorized access attempts, so I think option D might be the right choice.

upvoted 0 times

...

Catarina

4 months ago

Ah, this is a tricky one. I'll need to consider the context of the SIEM system and the company's asset inventory to decide which option is the most appropriate first step in the investigation.

upvoted 0 times

...

Willetta

4 months ago

The key here is to identify the most urgent security concern based on the information provided. I'll start by looking for any signs of unauthorized access or lateral movement within the network.

upvoted 0 times

...

Lashonda

4 months ago

Hmm, I'm a bit unsure here. The question is asking about what to investigate first, so I'll need to carefully review the report and options to determine the most critical issue.

upvoted 0 times

...

Gail

5 months ago

This looks like a straightforward SIEM log analysis question. I'll focus on identifying any anomalies or potential security incidents first.

upvoted 0 times

...

Cathrine

7 months ago

Haha, I bet the syslog server is just having a bad day. Maybe it's running on a toaster or something. Time to upgrade the kitchen appliances!

upvoted 0 times

...

Jamey

7 months ago

Unauthorized usage of the admin account? That's a serious security breach waiting to happen. We better investigate that one pronto!

upvoted 0 times

...

Bernardo

7 months ago

That's a valid point, we should consider both options and prioritize based on the severity of the threat.

upvoted 0 times

...

Ivan

7 months ago

A misconfigured syslog server creating false negatives? That's just asking for trouble. We need to make sure our logging is accurate and reliable.

upvoted 0 times

Wilda

5 months ago

Let's prioritize fixing that issue to ensure our logging is accurate.

upvoted 0 times

...

Marta

5 months ago

Agreed, false negatives could lead to missed security incidents.

upvoted 0 times

...

Loise

5 months ago

We should definitely investigate the misconfigured syslog server first.

upvoted 0 times

...

Deonna

7 months ago

But what about the potential attacker moving laterally in the network? Shouldn't we look into that as well?

upvoted 0 times

...

Ilene

7 months ago

I agree with Bernardo, that could indicate a bigger issue.

upvoted 0 times

...

Natalie

8 months ago

Lateral movement by an attacker? That's definitely a red flag we need to look into right away. Can't let them gain a foothold in the network.

upvoted 0 times

Norah

7 months ago

Let's make sure to address both the lateral movement and unauthorized usage attempts to secure the network.

upvoted 0 times

...

Ryan

7 months ago

I think unauthorized usage attempts of the administrator account is also a critical issue that needs immediate attention.

upvoted 0 times

...

Stephanie

7 months ago

Agreed, we should prioritize investigating potential lateral movement by the attacker.

upvoted 0 times

...

Bernardo

8 months ago

I think we should investigate the endpoint not submitting logs first.

upvoted 0 times

...

Cristen

8 months ago

The endpoint not submitting logs sounds like the most pressing issue. How can we monitor the environment if we're missing data?

upvoted 0 times

Arleen

7 months ago

Let's prioritize fixing that issue to ensure we have full visibility into our environment.

upvoted 0 times

...

Walker

7 months ago

Agreed, that could be a major security gap in our monitoring.

upvoted 0 times

...

Iola

8 months ago

We should definitely investigate the endpoint not submitting logs first.

upvoted 0 times

...