AP Cybersecurity 1.5 Exercise 1: AI Security Log Analyzer

AP Cyber Hub Unit 1 1.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz

AP Cybersecurity — Unit 1, Topic 1.5

Exercise 1: AI Security Log Analyzer

Analyze security event logs to identify which entries an AI-powered SIEM would flag — then compare your predictions to the AI analysis.

Lesson 5 of 5 Predict-First Format ~20 min SIEM · Anomaly Detection · Human Oversight

Key Terms: SIEM (Security Information and Event Management) — correlates logs from multiple sources; False Positive — a benign event flagged as a threat; Alert Fatigue — analysts becoming desensitized due to too many low-quality alerts; Anomaly Detection — identifying events that deviate from a learned baseline.

Exercise Progress 0 / 4

Context

Scenario: Midnight Analytics Inc.

You are a junior security analyst at Midnight Analytics Inc. Your company uses an AI-powered SIEM to monitor security events across 200 endpoints. The SIEM has learned a behavioral baseline over 90 days and flags events that deviate significantly from normal patterns.

Below are four security log entries from last Tuesday. Before seeing the AI’s analysis, predict whether each entry should be flagged as suspicious or not. Then reveal the AI’s verdict and explanation.

Log Entry 1 of 4

Failed Login Spike

Event: User account jsmith@midnight.com generated 847 failed login attempts from IP 203.0.113.42 between 02:14 and 02:18 AM.
Context: Normal login behavior for this user is 1–3 logins per day from office IP 192.168.1.0/24 during business hours.

▷ Predict First Before revealing the AI verdict — should the SIEM flag this entry? Think about: volume of attempts, time of day, IP address, and deviation from baseline.

Flag as suspicious Mark as normal

✅ Flag as Suspicious — AI Confidence: HIGH

Three simultaneous anomalies triggered this flag: (1) 847 failed attempts in 4 minutes far exceeds the brute-force threshold; (2) the source IP is external and not in any known-good list; (3) the activity occurred at 2 AM — a time when this user has never historically logged in. The combination of high volume, foreign IP, and off-hours timing produces a strong compound anomaly score. Likely attack: brute-force or credential stuffing from a botnet.

AP Exam Tip: SIEM systems use correlation rules — a single unusual event might not trigger an alert, but multiple simultaneous deviations compound the anomaly score. This is why SIEMs outperform simple threshold alerts.

Log Entry 2 of 4

Large Outbound Data Transfer

Event: Workstation W-114 transferred 4.2 GB to external IP 185.220.101.77 at 11:45 AM on Tuesday.
Context: This workstation belongs to a data analyst whose role regularly involves uploading reports to cloud storage. Average outbound transfer for this user is 3.8 GB per day to known cloud storage IPs. The destination IP is not in any known-good list.

▷ Predict First The transfer volume is normal for this user. But is there something else worth flagging here?

Flag as suspicious Mark as normal

✅ Flag as Suspicious — AI Confidence: MEDIUM

The volume matches this user’s pattern, but the destination is the anomaly. The user normally transfers to approved cloud storage IPs — this destination (185.220.101.77) is an unknown external IP not in the organization’s trusted list. The AI flags destination anomalies even when volume is normal because data exfiltration can mimic legitimate transfer volumes. A human analyst should investigate whether this was an authorized new cloud service or a potential insider threat / malware C2 data exfiltration.

AP Exam Tip: The AP exam tests that volume alone is insufficient for anomaly detection. Destination, protocol, timing, and user context all contribute to the SIEM’s threat score. This is why AI-based correlation outperforms simple threshold rules.

Log Entry 3 of 4

Software Deployment Alert

Event: 180 endpoints simultaneously installed update package "WinPatch-KB5031356" at 10:00 AM Tuesday.
Context: IT Operations sent a company-wide notice Monday at 4:00 PM announcing a mandatory security patch deployment for Tuesday at 10:00 AM. The patch is from Microsoft and matches a known SHA-256 hash in the SIEM’s trusted software catalog.

▷ Predict First Mass simultaneous software installation often triggers AI alerts. Should it in this case?

Mark as normal Flag as suspicious

✅ Mark as Normal — AI Confidence: LOW RISK

The AI’s correlation engine cross-referenced three data points: (1) an authorized change window was announced in email logs Monday; (2) the package hash matches a trusted vendor catalog entry; (3) the deployment time matches the scheduled window. All three reduce the anomaly score significantly. This is a good example of how context — pulled from calendar/email integration — prevents alert fatigue from routine IT operations. Key takeaway: without change management integration, this would have generated a false positive.

AP Exam Tip: This is the false positive problem in action. AI SIEMs that don’t integrate with change management systems generate enormous false positive volumes. Human oversight is needed to configure these context integrations.

Log Entry 4 of 4

Privileged Account After-Hours Access

Event: Administrator account admin-dchen accessed the HR database at 11:52 PM on Tuesday, exported 2,400 employee records, then logged out at 12:03 AM.
Context: Admin accounts are permitted to access all systems. The user has accessed the HR database 3 times in the past 90 days, always during business hours for system maintenance. No maintenance ticket was filed for this access.

▷ Predict First This is a legitimate admin account. Does that change whether the activity should be flagged?

Flag as suspicious Mark as normal

✅ Flag as Suspicious — AI Confidence: HIGH

Legitimate credentials do not eliminate risk — this is the insider threat problem. The AI flagged four anomalies: (1) after-hours access is a behavioral deviation from the 90-day baseline; (2) bulk export of 2,400 employee records is not consistent with maintenance activity; (3) no maintenance ticket correlates with this access window; (4) HR data is a high-value sensitive data class. The combination of timing + data volume + lack of authorization record produces a high-priority alert. A human analyst must investigate whether this is an insider threat or a compromised admin credential.

AP Exam Tip: Privileged accounts are high-risk because they have broad access. The AP exam tests that SIEM behavioral analytics must also monitor admin accounts — a compromised admin credential or malicious insider is a critical threat that legitimate credentials do not rule out.

+ Extension Challenge Design one additional log entry scenario where a legitimate action could be misclassified as an attack. What context would need to be integrated into the SIEM to prevent the false positive?

← Lesson 1.5 Course Hub Exercise 2 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com