AP Cybersecurity Unit 3 Lesson 5 Exercise 2

Unit 3 • 3.5 • Exercise 2

Exercise 2 — SIEM Dashboard Investigation

3 parts, 24 points — Diagnose alert fatigue and optimize SIEM rules at Harborview Regional Bank

Score: 0 / 24Complete all parts to see your final score
Client Organization
Harborview Regional Bank

Harborview’s SOC manager is concerned that analysts are experiencing alert fatigue — the team received 18,400 alerts last week but only investigated 210 of them. The SIEM dashboard below shows last week’s summary. Your job is to analyze the SIEM data, identify which correlation rules are generating noise vs. value, and recommend tuning changes.

Total Alerts (7 days)
18,400
+340% vs. prior week
Investigated
210
1.1% of all alerts
Confirmed True Positives
14
6.7% of investigated
MTTD (Mean Time to Detect)
31 hrs
Target: under 4 hrs
Rule ID Rule Name Alerts Investigated True Positives
R-01 Failed login > 3 in 60s 14,200 80 1
R-02 Outbound to known malicious IP 47 47 11
R-03 Large file transfer (> 100MB) after hours 620 30 2
R-04 New admin account created 3,500 50 0
R-05 Lateral movement: RDP from workstation 33 33 0
Part 1 — Identify High-Noise vs. High-Value Rules
8 points

Using the correlation rule data above, classify each rule as either HIGH NOISE (low TP rate, generating alert fatigue) or HIGH VALUE (reliable signal worth keeping as-is). Then identify the single most dangerous rule to suppress.

R-01 — Failed login > 3 in 60s (14,200 alerts, 1 TP)
R-02 — Outbound to known malicious IP (47 alerts, 11 TP)
R-03 — Large file transfer after hours (620 alerts, 2 TP)
R-04 — New admin account created (3,500 alerts, 0 TP)
R-05 — Lateral movement: RDP from workstation (33 alerts, 0 TP)
Which rule would be MOST DANGEROUS to suppress entirely, even though it has 0 TPs so far?
Part 2 — Rule Tuning Recommendations
8 points

R-01 (Failed login > 3 in 60s) generated 14,200 alerts with only 1 true positive. Propose two specific tuning changes to this rule that would reduce noise while preserving its ability to detect real brute force attacks. For each change, explain what it adjusts and why it reduces false positives.

Key terms: threshold, count, time window, whitelist, allowlist, account type, service account, privileged, geo, impossible travel, combine, correlate, AND condition, reputation
Part 3 — Alert Fatigue: Root Cause and Consequences
8 points

Harborview’s MTTD is 31 hours — far above the 4-hour target. Select all factors contributing to this problem based on the dashboard data. Then explain in 2–3 sentences what the primary security risk is when MTTD is this high in a banking environment.

Select all contributing factors (check all that apply):
What is the primary security risk when MTTD is 31 hours in a banking environment?
Key terms: dwell time, attacker, exfiltrate, lateral, pivot, privilege escalation, regulatory, compliance, undetected, window
0 / 24
SIEM Dashboard Investigation Score
Complete all 3 parts to see your result.
← Exercise 1 Lab: Operation Silent Watch →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]