A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?

A brute-force attack focused on a single locked account.

Brute force usually involves many rapid attempts against one account, which is different from one failed attempt across many accounts.

A replay attack using captured authentication data.

Replay attacks reuse valid authentication material, so the log pattern would not normally show many failed password attempts first.

A port scan that accidentally triggered authentication failures.

Port scans probe services, but they do not usually produce organized login attempts across many distinct user accounts.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Password spraying against many accounts with a low number of attempts per account. — The log pattern strongly suggests password spraying. Attackers often try a small set of common passwords against many accounts, spacing attempts out to avoid account lockouts and to blend into normal traffic. A single source IP, many usernames, one failure each, and then a successful login is a classic low-and-slow pattern that security teams should treat as credential attack activity. Why others are wrong: Brute force is usually concentrated on one account with many rapid guesses, not one attempt across many accounts. Replay attacks reuse captured credentials or tokens and would not generate this failure pattern. Port scanning may produce connection attempts, but it does not explain multiple valid-looking authentication failures across different usernames.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.