AP Cybersecurity Unit 1 Lesson 5 Lab
Lab: SOC Alert Investigation Simulation
You are the Tier 2 analyst in Vantex’s Security Operations Center. Four AI-generated SIEM alerts have arrived. Your job: triage each alert, classify the AI application that generated it, determine if it’s likely a true positive or false positive, and recommend the first response action.
Tier 1 has triaged these alerts and escalated them for investigation. You must: (1) identify which AI tool generated the alert, (2) determine if it is likely a true positive or false positive and why, and (3) recommend the specific first response action. Each alert is worth 6 points.
User: jsmith (John Smith, IT Support)
Trigger: Login geographic anomaly + access volume spike
Time: 2026-03-14 03:22:18
Login location: 203.44.21.88 (Brazil) — first international login in 90 days
Files accessed: 3,847 in past 35 min (baseline: 150-300/day, 18-37/hr)
Access targets: All shares including HR, Finance, Executive (baseline: IT shares only)
Prior 30 logins: All from 10.10.10.0/24 internal network
Which AI tool generated this alert?
Most likely classification (based on available context):
First response action (what do you do right now?):
Trigger: 5 events share IOCs with known ransomware group “Blackmatter-3” in past 90 minutes
Event 1: Outbound DNS query to syn-update-cdn[.]net (flagged in 4 threat feeds as C2 domain)
Event 2: Registry key creation at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (persistence technique)
Event 3: File hash e7f3a2b1... matches known dropper in 2 threat intel databases
Event 4: SMB lateral movement detected: 10.10.10.205 → 10.10.10.40 (unusual pairing)
Event 5: LSASS memory access (credential dumping indicator)
Confidence: 0.91
Which AI tool generated this alert?
Most likely classification (based on available context):
First response action (what do you do right now?):
Repository: patient-portal-v2.4.1
Pull request: #847 (developer: dchen)
AI scanner findings: 2 SQL injection vulnerabilities flagged
File: /api/appointments.py, Line 142: user_date passed directly to SQL query string
File: /api/appointments.py, Line 198: patient_id concatenated into DELETE statement
Recommendation: Convert both to parameterized queries
Confidence: 0.96
Which AI tool generated this alert?
Most likely classification (based on available context):
First response action (what do you do right now?):
Email delivered to: [email protected] (Claire Parker, Finance Manager)
Phishing score: 0.71 (below 0.88 auto-block threshold; banner warning applied)
Sender: [email protected] (note: financlal vs financial)
Subject: Urgent: Q1 reconciliation discrepancy — review required
Content: References real Q1 activity, mentions CFO name (Sarah M.), requests Claire download and review attachment for “reconciliation correction”
Attachment: Q1-reconciliation-v3.xlsx
Claire clicked the attachment 4 minutes after receipt
Which AI tool generated this alert?
Most likely classification (based on available context):
First response action (what do you do right now?):
SOC analyst questions on the AP exam test: (1) identifying which AI tool generated an alert from its description, (2) determining true positive vs. false positive based on context signals, and (3) naming the correct first-response action. The key: AI generates the alert; the human analyst classifies and responds. “The AI automatically isolated the workstation” is different from “the analyst investigated and then isolated the workstation” — the AP exam treats these very differently.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]