Exercise 2: Chained Detection Scenarios
Chained Detection Scenarios
Six mini-incidents. Each is a realistic detection scenario pulled from common SOC patterns: credential stuffing, insider threats, cloud account compromise, ransomware staging, supply chain, and log tampering. Predict the response before checking options. Understanding why the distractors are wrong matters as much as identifying the right answer.
Scenario 1: The Quiet Credential Stuffing
An e-commerce site's SOC reviews overnight alerts. The brute-force rule (10+ failed logins from one IP in 5 minutes) fired zero times. However, customer support reports four separate complaints of unauthorized purchases this morning, all from accounts whose passwords users admit to reusing from other sites. The SIEM shows 72,000 failed logins last night distributed across 18,000 source IPs and 12,000 different usernames.
The SOC manager asks: which detection would have caught this campaign in real time?
Scenario 2: The 30-Minute Exfiltration
At 2:43 AM, a UEBA engine scores an event high-risk: employee j.morrison, a software engineer who has never accessed the customer_billing database in three years of employment, ran 847 queries against it in 30 minutes, returning 4.2 GB of CSV exports. The credentials are valid. MFA challenge succeeded. The source IP is the employee's known home broadband.
The SOC lead asks: what is the highest-confidence detection signal in this event?
Scenario 3: The Leaked IAM Key
A DevOps engineer accidentally commits an AWS IAM access key to a public GitHub repository at 9:17 AM. GitHub's secret-scanning notifies the engineer at 9:19 AM. The key is rotated at 9:24 AM. However, CloudTrail logs show the following activity on the leaked key between 9:18 and 9:23 AM:9:18:02 AssumeRole: arn:aws:iam::123456:role/admin
9:18:05 ListBuckets: all-regions
9:18:22 CreateAccessKey: new-iam-user-z8x1
9:19:10 GetObject: prod-backups/db-2026-04-17.sql.gz
9:21:47 CreateUser: svc-legit (tagged "legitimate_service")
9:23:15 AttachUserPolicy: AdministratorAccess to svc-legit
The IR lead asks: besides rotating the leaked key, what is the most critical immediate action?
Scenario 4: The Pre-Encryption Signals
A SOC analyst is reviewing a Friday-afternoon alert chain from an internal file server. Over the previous 6 hours, the following activity was logged:
· 13:02 — vssadmin.exe delete shadows /all /quiet executed by SYSTEM context
· 13:05 — wbadmin.exe delete catalog -quiet
· 13:18 — 30 MB of outbound traffic to a first-seen IP (Ukraine)
· 14:22 — recursive enumeration of network shares from the server's service account
· 16:45 — EDR agent on the server stopped sending telemetry
Which of these events should have triggered the highest-priority alert for an analyst to investigate immediately?
Scenario 5: The Signed Update That Called Home
A security-monitoring platform deployed to 340 servers pushes a routine auto-update signed with the vendor's legitimate code-signing certificate. Two days later, one of the company's network sensors flags unusual DNS queries from 340 servers: they are each resolving a domain that matches a known command-and-control pattern from an industry threat-intel feed.
The IR lead must classify the incident severity using NIST SP 800-61 framing. Which severity classification applies, and what does it drive?
Scenario 6: The Logs Stopped on Tuesday
A forensic investigator examining a breached Linux web server notices the following:
· /var/log/auth.log contains entries through Tuesday at 14:22, then nothing until the compromise was discovered Thursday morning.
· auditd was configured to log to /var/log/audit/audit.log, which also shows the same Tuesday 14:22 cutoff.
· The server's bash history for the attacker's working account is empty.
· Remote syslog to the SIEM was configured and logs flowed through Tuesday 14:22 — and then stopped.
Which conclusion is best supported by this evidence?
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]