An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?
Trap 1: Review all firewall logs for the past hour.
Too broad; includes non-SSH traffic.
Trap 2: Run a packet capture on the server's network interface.
Reactive and time-consuming; not suitable for quick historical review.
Trap 3: Check the server's auth.log file manually.
Does not filter by source IP; requires manual parsing.
- A
Search the SIEM for events with destination port 22 and source IP.
Directly retrieves SSH events for that IP.
- B
Review all firewall logs for the past hour.
Why wrong: Too broad; includes non-SSH traffic.
- C
Run a packet capture on the server's network interface.
Why wrong: Reactive and time-consuming; not suitable for quick historical review.
- D
Check the server's auth.log file manually.
Why wrong: Does not filter by source IP; requires manual parsing.