TimSaysICan Training - CySA+ PBQ

CySA+ PBQ: Phishing Log Review

Count phishing clicks, infected workstations, and the malware executable.

Back to Training Portal

Scenario

An analyst must review email logs and SIEM process creation events after a phishing campaign. The known phishing domain is secure-credential-update.company-portal.com. SIEM Event ID 4688 tracks process creation, and the suspicious process name is svchost.exe.

Your task: Review the evidence and select the best analyst response for each field.
EvidenceDetails
Known phishing domainsecure-credential-update.company-portal.com
Clicked link count25 matching email log entries
Infected workstation count15 unique hosts with matching process events
Suspicious processsvchost.exe in Event ID 4688 records

Analyst Decisions

Instructor Answer