TimSaysICan Training - CySA+ PBQ

CySA+ PBQ: Suspicious Login Review

Use file transfer logs to identify compromise indicators and corrective actions.

Back to Training Portal

Scenario

SFTP and web logs show several internal users making updates, repeated failed logins from one address, HTTP 404s from another, and one successful external SFTP login using user sjames that modified index.html.

Your task: Review the evidence and select the best analyst response for each field.
EvidenceDetails
Internal activity192.168.10.32 modified about_us.html; 192.168.10.37 modified index
External success41.21.18.102 logged in as sjames and modified index.html
Noise32.111.16.37 mostly failed logins; 52.110.26.27 only HTTP 404s

Analyst Decisions

Instructor Answer