CompTIA Exam CAS-005 Topic 4 Question 16 Discussion

Actual exam question for CompTIA's CAS-005 exam

Question #: 16
Topic #: 4

[All CAS-005 Questions]

[Security Operations]

A company'sSIEMis designed to associate the company'sasset inventorywith user events. Given the following report:

Which of thefollowing should asecurity engineer investigate firstas part of alog audit?

AAnendpointthat is not submitting any logs

BPotential activity indicating an attackermoving laterally in the network

CAmisconfigured syslog servercreating false negatives

DUnauthorized usage attempts of the administrator account

Show Suggested Answer

Suggested Answer: D

Comprehensive and Detailed

Understanding the Security Event:

Administrator accounts are highly privilegedand require strict monitoring.

Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.

The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.

Why Option D isCorrect:

Failed logins for administrator accounts are a critical security concern.

If an attacker gains access, they couldescalate privileges and compromise the network.

Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.

Why Other Options Are Incorrect:

A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.

B (Lateral movement):There's no evidence of a compromised account moving between servers yet.

C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.

CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis

MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise

by Carli at Jul 04, 2025, 05:54 AM

Limited Time Offer

25%

Off

Get Premium CAS-005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Deonna

5 days ago

But what about the potential attacker moving laterally in the network? Shouldn't we look into that as well?

upvoted 0 times

...

Ilene

6 days ago

I agree with Bernardo, that could indicate a bigger issue.

upvoted 0 times

...

Natalie

8 days ago

Lateral movement by an attacker? That's definitely a red flag we need to look into right away. Can't let them gain a foothold in the network.

upvoted 0 times

Ryan

3 days ago

I think unauthorized usage attempts of the administrator account is also a critical issue that needs immediate attention.

upvoted 0 times

...

Stephanie

5 days ago

Agreed, we should prioritize investigating potential lateral movement by the attacker.

upvoted 0 times

...

Bernardo

16 days ago

I think we should investigate the endpoint not submitting logs first.

upvoted 0 times

...

Cristen

16 days ago

The endpoint not submitting logs sounds like the most pressing issue. How can we monitor the environment if we're missing data?

upvoted 0 times

Walker

19 hours ago

Agreed, that could be a major security gap in our monitoring.

upvoted 0 times

...

Iola

10 days ago

We should definitely investigate the endpoint not submitting logs first.

upvoted 0 times

...