5 exercises — brute-force login patterns, WAF SQLi blocks, impossible-travel logins, port scan detection, and privilege escalation in audit logs.
0 / 5 completed
1 / 5
An authentication log shows: 2026-07-08T02:14:01Z auth_failed user=admin ip=185.220.101.5 reason=invalid_password 2026-07-08T02:14:02Z auth_failed user=admin ip=185.220.101.5 reason=invalid_password 2026-07-08T02:14:03Z auth_failed user=admin ip=185.220.101.5 reason=invalid_password ... (312 more lines, same IP, one attempt per second)
What pattern does this represent, and what's the correct first response?
Reading auth logs for attack patterns: the key signals of a brute-force attempt are volume (hundreds of attempts), regularity (one attempt per second — a machine, not a human typing), and a fixed target (same username, "admin" is a common target since it's predictable).
Vocabulary: • Brute-force attack — systematically trying many password guesses • Credential stuffing — trying username/password pairs leaked from other breaches, usually with many different usernames, not one • Rate limiting — capping how many attempts are allowed per time window • Account lockout — temporarily disabling an account after N failed attempts
Response steps: block the source IP at the firewall/WAF, verify account lockout is enabled so credential guessing can't succeed even without IP blocking, and check whether any attempt in the sequence eventually succeeded (search for a matching auth_success from the same IP or user shortly after) — that would upgrade this from "attempted" to "compromised".
2 / 5
A web application firewall (WAF) log entry reads: {"action":"blocked","rule":"SQLI-942100","ip":"91.243.85.12","uri":"/api/search?q=1' OR '1'='1","method":"GET"}
How would you explain this log entry to a non-security teammate?
SQL injection (SQLi) exploits code that builds SQL queries by concatenating untrusted input directly into the query string. The classic payload ' OR '1'='1 is designed so that, if inserted unescaped into a query like WHERE name = '<input>', it becomes WHERE name = '' OR '1'='1' — always true, potentially returning or exposing every row.
Reading this log entry: • action: blocked — the WAF stopped the request; it never reached the application • rule: SQLI-942100 — matches a known SQLi signature (OWASP CRS rule IDs are common) • uri — shows the exact malicious payload in the query string
Why "blocked" matters for triage: a blocked WAF event is evidence of a probe, not necessarily a successful breach — but repeated blocked attempts from the same IP against multiple endpoints indicate active reconnaissance and should be correlated with any other suspicious activity from that source. The correct application-level defence against SQLi is parameterised queries / prepared statements, not the WAF alone — the WAF is a safety net, not the primary fix.
What security concept does this pattern illustrate, and why is it suspicious?
Impossible travel is a standard detection rule in identity security: if the same account logs in from two locations separated by a distance that couldn't be travelled in the elapsed time (accounting for flight speed, generously), it flags likely credential compromise or session hijacking.
Why VPN use complicates this: a legitimate VPN connection can also produce a distant geo value, which is why impossible-travel alerts are usually a starting point for investigation, not an automatic block — teams check for other corroborating signals: a new/unrecognised device fingerprint, a new user-agent, unusual activity following the login (privilege escalation, mass data export), or whether the user's VPN usage is already known and whitelisted.
Correct response, described professionally: "We saw an impossible-travel alert on jsmith's account — two successful logins 5 minutes apart from Kyiv and Jakarta. We're forcing a password reset and reviewing session activity from both IPs before confirming this is a false positive." This precise vocabulary — impossible travel, session hijacking, corroborating signals — is standard in security incident communication.
4 / 5
An IDS (Intrusion Detection System) alert log shows: [ALERT] ET SCAN Suspicious inbound to mySQL port 3306 src=198.51.100.7 dst=10.0.2.15:3306 count=1 proto=TCP [ALERT] ET SCAN Suspicious inbound to Redis port 6379 src=198.51.100.7 dst=10.0.2.15:6379 count=1 [ALERT] ET SCAN Suspicious inbound to Elasticsearch port 9200 src=198.51.100.7 dst=10.0.2.15:9200 count=1 ...all within the same second, same source IP. What is this pattern called?
Port scanning is a reconnaissance technique: an attacker (or automated scanner like Shodan-style bots) systematically checks a target for open ports associated with commonly misconfigured or vulnerable services. The ports here are telling: 3306 (MySQL), 6379 (Redis), 9200 (Elasticsearch) are all databases that are dangerous to expose directly to the internet without authentication.
IDS vocabulary: • IDS (Intrusion Detection System) — monitors traffic and alerts on suspicious patterns (passive — doesn't block) • IPS (Intrusion Prevention System) — same detection, but actively blocks/drops matching traffic • Signature — a known pattern used to detect a specific type of malicious traffic (the "ET SCAN" prefix here refers to the Emerging Threats ruleset)
Correct response: the priority action isn't just blocking the scanning IP (more will follow from other IPs) — it's verifying that ports 3306/6379/9200 are not actually reachable from the public internet in the first place. Port scans against exposed database ports should trigger an immediate audit of security group / firewall rules, since a scan finding an open, unauthenticated database is often the actual breach, not the scan itself.
5 / 5
A privilege escalation event shows in the audit log: {"actor":"svc-deploy-bot","action":"iam.attachRolePolicy","target":"AdministratorAccess","resource":"role/svc-deploy-bot","timestamp":"2026-07-08T03:41:12Z"}
Why does this single log line deserve immediate attention?
Privilege escalation — gaining higher permissions than originally granted — is one of the most serious patterns to catch in audit logs, especially when the actor is a service account rather than a human. Service accounts are expected to follow the principle of least privilege: they should hold only the specific permissions their automated task requires (e.g. "deploy to this one S3 bucket"), never broad access like AdministratorAccess.
Why this is alarming: a legitimate deploy bot has no reason to grant itself admin rights. Two likely explanations: (1) a misconfigured CI/CD pipeline with overly broad permissions that a script accidentally used to self-escalate, or (2) the service account's credentials (an access key, a CI secret) were stolen, and an attacker is using them to expand access before doing further damage.
Correct incident response, in professional language: "We detected the svc-deploy-bot role attaching AdministratorAccess to itself at 03:41 UTC — this is not expected pipeline behaviour. We are rotating its credentials immediately, reviewing all actions taken by this identity in the last 24 hours, and revoking the AdministratorAccess attachment." Precise audit-log vocabulary — actor, action, resource, principle of least privilege — lets security teams communicate severity quickly and unambiguously.
What will I practise in "Security & Access Logs — Log Reading Exercises"?
Practice reading security and access logs for intrusion detection: brute-force patterns, WAF SQL injection blocks, impossible-travel logins, port scans, and privilege escalation events. 5 exercises for security-minded engineers.
How many exercises are in this module?
This module has 5 multiple-choice exercises, each with instant feedback and a full explanation of the correct answer.
Is this exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is free to use with no account, sign-up, or paywall.
Do I need to create an account to do these exercises?
No account is required. Just click an option to answer — your score for this session is tracked automatically in the progress bar above.
What happens if I choose the wrong answer?
You'll immediately see which answer was correct, plus a full explanation covering the vocabulary and reasoning behind it — mistakes are where most of the learning happens.
Can I retry the exercises if I want a higher score?
Yes — use the "Try again" button on the results screen to reset and go through all the questions again.
Is my progress saved if I close the page?
No. Progress is tracked only for your current visit; reloading or leaving the page resets the counter. This keeps the exercise simple and account-free.
Where can I find more Log Reading exercises?
Browse the full Log Reading hub for related drills, or check the "Next up" link below to continue with a connected topic.
How is this different from reading an article on the same topic?
Articles explain vocabulary and concepts in prose; this exercise tests and reinforces that vocabulary through active recall with immediate feedback — the two work best together.
Who writes these exercises?
Every exercise is written by the CoderSlingo team, drawing on real workplace English used in IT roles, then reviewed for accuracy and clarity.