A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.

A workstation patch installation completed earlier that day.

Routine patching is not evidence of compromise and does not correlate with the suspicious authentication pattern.

The mailbox server reported normal disk utilization during the same hour.

Normal server health metrics do not explain or confirm the suspicious login and forwarding activity.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Many failed logins across different usernames from the same source IP in a short time window. — The combination of many failures across many accounts, a later success from the same IP, and an external forwarding rule is a strong indicator of password spraying followed by account takeover and persistence. The first event shows the attack method, the second shows probable compromise, and the third shows an action commonly used to maintain access or steal mail. Together, they justify escalation and immediate account containment. Why others are wrong: A patch completion event is unrelated to the login pattern and is often just routine maintenance. Normal disk utilization on the mail server does not meaningfully support or refute the compromise. Those are background signals, not indicators that tie the attack sequence together.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.