AP Cybersecurity Unit 1 Lesson 5 Lab

AP Cybersecurity — Unit 1, Topic 1.5

Lab: SOC Alert Investigation Simulation

You are the Tier 2 analyst in Vantex’s Security Operations Center. Four AI-generated SIEM alerts have arrived. Your job: triage each alert, classify the AI application that generated it, determine if it’s likely a true positive or false positive, and recommend the first response action.

Skills 3.A, 3.D, 2.D ~40–50 min • 4 Alerts • 24 pts
Your Role: Tier 2 SOC Analyst

Tier 1 has triaged these alerts and escalated them for investigation. You must: (1) identify which AI tool generated the alert, (2) determine if it is likely a true positive or false positive and why, and (3) recommend the specific first response action. Each alert is worth 6 points.

Alert 1 — Priority 2
Anomaly: User Behavior Deviation
6 pts
SIEM Alert Details

User: jsmith (John Smith, IT Support)
Trigger: Login geographic anomaly + access volume spike
Time: 2026-03-14 03:22:18
Login location: 203.44.21.88 (Brazil) — first international login in 90 days
Files accessed: 3,847 in past 35 min (baseline: 150-300/day, 18-37/hr)
Access targets: All shares including HR, Finance, Executive (baseline: IT shares only)
Prior 30 logins: All from 10.10.10.0/24 internal network

Which AI tool generated this alert?

Most likely classification (based on available context):

First response action (what do you do right now?):

Alert 2 — Priority 1
Threat Intel Correlation: Multi-Source IOC Match
6 pts
SIEM Alert Details

Trigger: 5 events share IOCs with known ransomware group “Blackmatter-3” in past 90 minutes
Event 1: Outbound DNS query to syn-update-cdn[.]net (flagged in 4 threat feeds as C2 domain)
Event 2: Registry key creation at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (persistence technique)
Event 3: File hash e7f3a2b1... matches known dropper in 2 threat intel databases
Event 4: SMB lateral movement detected: 10.10.10.205 → 10.10.10.40 (unusual pairing)
Event 5: LSASS memory access (credential dumping indicator)
Confidence: 0.91

Which AI tool generated this alert?

Most likely classification (based on available context):

First response action (what do you do right now?):

Alert 3 — Priority 3
Code Scanner: SQL Injection Vulnerability
6 pts
SIEM Alert Details

Repository: patient-portal-v2.4.1
Pull request: #847 (developer: dchen)
AI scanner findings: 2 SQL injection vulnerabilities flagged
File: /api/appointments.py, Line 142: user_date passed directly to SQL query string
File: /api/appointments.py, Line 198: patient_id concatenated into DELETE statement
Recommendation: Convert both to parameterized queries
Confidence: 0.96

Which AI tool generated this alert?

Most likely classification (based on available context):

First response action (what do you do right now?):

Alert 4 — Priority 2
Phishing Detection: Mid-Range Score Delivered
6 pts
SIEM Alert Details

Email delivered to: [email protected] (Claire Parker, Finance Manager)
Phishing score: 0.71 (below 0.88 auto-block threshold; banner warning applied)
Sender: [email protected] (note: financlal vs financial)
Subject: Urgent: Q1 reconciliation discrepancy — review required
Content: References real Q1 activity, mentions CFO name (Sarah M.), requests Claire download and review attachment for “reconciliation correction”
Attachment: Q1-reconciliation-v3.xlsx
Claire clicked the attachment 4 minutes after receipt

Which AI tool generated this alert?

Most likely classification (based on available context):

First response action (what do you do right now?):

✎ AP Exam Tip

SOC analyst questions on the AP exam test: (1) identifying which AI tool generated an alert from its description, (2) determining true positive vs. false positive based on context signals, and (3) naming the correct first-response action. The key: AI generates the alert; the human analyst classifies and responds. “The AI automatically isolated the workstation” is different from “the analyst investigated and then isolated the workstation” — the AP exam treats these very differently.

AP Cybersecurity · Unit 1 · Lesson 1.5 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]