Understanding the Security Event:
Administrator accounts are highly privilegedand require strict monitoring.
Server 4 shows failed login attempts for the administrator account.This could indicate abrute-force attack or unauthorized access attempt.
The fact thatnone of the admin login attempts were successfulsuggestssomeone was trying to guess the credentials.
Why Option D isCorrect:
Failed logins for administrator accounts are a critical security concern.
If an attacker gains access, they couldescalate privileges and compromise the network.
Investigatingunauthorized admin login attemptsshould be thetop priorityin a log audit.
Why Other Options Are Incorrect:
A (Endpoint not submitting logs):While this is concerning, it does not indicate anactive attack.
B (Lateral movement):There's no evidence of a compromised account moving between servers yet.
C (Misconfigured syslog server):False negatives are a possibility, but thefailed admin loginsare real.
[Reference:, CompTIA SecurityX CAS-005 Official Study Guide:SIEM & Incident Analysis, MITRE ATT&CK (T1078.002):Valid Accounts - Administrator Compromise, , , ]
