Lab: Incident Triage Tickets
Incident Triage Lab
Six SOC tickets with realistic log snippets in syslog, JSON, and CEF formats. For each, classify severity, identify the detection pattern, and recommend the containment action. Scenarios include brute force, impossible travel, WAF block waves, macro-malware process chains, log silence, and DNS tunneling — the detection patterns an AP Cybersecurity exam scenario will test.
Ticket 1: Brute Force on SSH
Your SIEM has aggregated the following syslog entries from a public-facing jump host over a 4-minute window. All other traffic from this IP is blocked at the edge firewall, but port 22 is open because the jump host is how contractors reach the environment.<38>Apr 18 14:22:09 jumphost sshd[1289]: Failed password for root from 198.51.100.42 port 51283
<38>Apr 18 14:22:11 jumphost sshd[1293]: Failed password for admin from 198.51.100.42 port 51291
<38>Apr 18 14:22:14 jumphost sshd[1297]: Failed password for oracle from 198.51.100.42 port 51302
<38>Apr 18 14:22:17 jumphost sshd[1301]: Failed password for postgres from 198.51.100.42 port 51318
<38>Apr 18 14:22:20 jumphost sshd[1305]: Failed password for ubuntu from 198.51.100.42 port 51334
<38>Apr 18 14:25:55 jumphost sshd[1309]: Accepted password for contractor_j from 198.51.100.42 port 51456
What is the highest-priority action for this ticket?
Ticket 2: Impossible Travel on Admin Account
Your SIEM fires on the following two events within an 11-minute window:{"timestamp":"2026-04-18T19:14:02Z","event":"auth_success","user":"karen.ix","source_ip":"73.22.88.104","geo":{"country":"US","city":"Kansas City"},"device_id":"mac-a4b9c2"}{"timestamp":"2026-04-18T19:25:47Z","event":"auth_success","user":"karen.ix","source_ip":"185.220.101.77","geo":{"country":"DE","city":"Frankfurt"},"device_id":"unknown"}
The karen.ix account has AdministratorAccess on three production AWS accounts. Her Slack status shows "Out: medical appointment, back 4pm CT" posted at 12:47 local time. What action do you take first?
Ticket 3: WAF Block Wave
Your WAF emits CEF logs. Over a 2-minute window, the following pattern appears:CEF:0|AWSWAF|v4|2|RULE_SQLi|Blocked SQL injection|9|src=52.9.12.44 act=blocked uri=/api/search sigid=942100
CEF:0|AWSWAF|v4|2|RULE_XSS|Blocked XSS payload|8|src=52.9.12.44 act=blocked uri=/api/search sigid=941140
CEF:0|AWSWAF|v4|2|RULE_LFI|Blocked LFI attempt|9|src=52.9.12.44 act=blocked uri=/api/search sigid=930100
CEF:0|AWSWAF|v4|2|RULE_CMDi|Blocked command injection|9|src=52.9.12.44 act=blocked uri=/api/search sigid=932100
CEF:0|AWSWAF|v4|2|RULE_RFI|Blocked RFI attempt|9|src=52.9.12.44 act=blocked uri=/api/search sigid=931100
Seven more similar events in the same window. All from the same IP, against the same endpoint, hitting different WAF signatures. What is this, and what is the correct response?
Ticket 4: The Office → PowerShell Chain
Your EDR platform emits the following process tree on an employee endpoint:OUTLOOK.EXE (PID 4012, user: j.torres, parent: explorer.exe)
→ WINWORD.EXE (PID 5821, parent: OUTLOOK.EXE, args: "/tmp/Invoice_2026-04-18.docm")
→ POWERSHELL.EXE (PID 6104, parent: WINWORD.EXE, cmd: "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand JABXAGMAPQBOAEUAVwAtAE8AQgBKAEUAYwBUACAAU...")
→ cmd.exe (PID 6217, parent: POWERSHELL.EXE, cmd: "cmd /c whoami")
→ cmd.exe (PID 6218, parent: POWERSHELL.EXE, cmd: "cmd /c net group \"Domain Admins\" /domain")
The employee reports they "opened an invoice from a supplier this morning." What is the correct containment action?
Ticket 5: The Host That Went Quiet
Your SIEM's log-source monitoring dashboard fires an alert: db-prod-04 has not shipped events in 47 minutes. Historical baseline: this host normally sends 8,000-14,000 events/hour. Three things are also true:
· The host responds to ICMP ping (it is not down).
· The host answers TCP health-checks on port 5432 (the database is running).
· No scheduled maintenance is active; no configuration change tickets exist for this host in the last 7 days.
What is the correct first action?
Ticket 6: The Strange DNS Queries
Your DNS telemetry platform flags finance-srv-07 because the server is generating an unusually high volume of DNS queries with structure like:query: f4a9.b2c1.e8d3.data-staging.example-cdn.net (TXT)
query: 3e91.c2a4.57fb.data-staging.example-cdn.net (TXT)
query: 9d8c.44b0.e1a7.data-staging.example-cdn.net (TXT)
... 2,400 similar queries in 15 minutes ...
Average query length: 54 characters. All are TXT record requests. No A records requested. The domain example-cdn.net is not on your allowlist of legitimate CDNs. The server has no known need for outbound DNS resolution at this volume. What is this, and what is the correct response?
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]