CAE-CO CO-M9 Defensive Cyber Operations CO-M9-O1

Learning outcome 1

Analyze system and network log files to identify indicators of compromise.

Skill drills that assess this outcome

CSCD240-E1-A-Q13 primary performance search-find Somewhere in the filesystem there is a file config.ini. Locate it.
CSCD240-E1-A-Q14 primary performance grep-recursive Show the filenames containing "printf" in all .c files in home directory and subdirs.
CSCD240-E1-A-Q29 primary performance regex contacts.txt has Name<tab>number lines. Print only those whose number ends with 6.
CSCD240-E1-A-Q34 primary performance grep Print lines of access.log containing 403 with their line numbers.
CSCD240-E1-A-Q38 primary performance pipeline-distinct Count distinct lines in visitors.txt (unsorted input).
CSCD240-E1-A-Q50 primary performance log-pipeline auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
CSCD240-E1-B-Q18 primary performance log-search Print every line of auth.log containing "Failed password" (case-insensitive), with line numbers.
CSCD240-E1-B-Q19 primary performance log-pipeline Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
CSCD240-E1-B-Q20 primary performance log-pipeline Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
CSCD240-E1-B-Q22 primary performance regex-alt Print lines of fw.log matching DENY OR DROP (extended regex).
CSCD240-E1-B-Q23 primary performance grep-recursive Recursively search /etc for any file containing "password=" and print only filenames.
CSCD240-E1-B-Q28 primary performance proc-forensics Suspect PID 31337 is a reverse shell. Print its full command line and working directory.
CSCD240-E1-C-Q11 primary multiple_choice log-follow A log file is continuously updated. Which command shows new lines as written?
CSCD240-E1-C-Q15 primary multiple_choice pipeline-distinct Which pipeline counts distinct values in column 1 of a CSV?
CSCD240-E1-C-Q17 primary multiple_choice find Which command searches the filesystem for a file by name, suppressing permission-denied errors?
CSCD240-E1-C-Q25 primary performance grep Print every line of auth.log containing "Failed password" (case-insensitive) with line numbers.
CSCD240-E1-C-Q26 primary performance log-pipeline Top 5 source IPs appearing on FAIL lines of auth.log (IP = field 5).
CSCD240-E1-C-Q27 primary performance log-pipeline List unique usernames appearing on FAIL lines of auth.log (user=<name>).
CSCD240-E1-C-Q43 primary scenario incident-response PID 2211 spawns thousands of sh processes/min. Steps to stop without killing vital processes.
CSCD240-E1-C-Q44 primary scenario debug-pipeline cat access.log | grep admin | wc -l returns 0 when log has admin hits. Two reasons?

Other outcomes in CO-M9

CO-M9-O2 Harden operating system configurations against common attack vectors.