A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?

It is definitely a brute-force attack and should be treated as confirmed compromise.

Multiple failed logins can look suspicious, but this conclusion is too strong without additional evidence.

It is evidence of malware on the user's workstation until the device is rebuilt.

Login failures alone do not indicate malware or require immediate reimaging.

It proves the password was changed by an attacker and the account must be disabled immediately.

There is no evidence of password change, unauthorized access, or account takeover here.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: It is most likely a false positive caused by user error and should be documented after verification. — The best conclusion is that this is most likely a false positive caused by normal user behavior. Repeated failed logins followed by a successful login from the expected subnet fit the user's explanation of mistyping the password. In monitoring work, analysts should correlate the alert with user confirmation, source location, and timing before escalating. This avoids wasting time on routine mistakes while still documenting the event for trend analysis. Why others are wrong: Option A is too aggressive because failed logins alone do not prove brute force. Option C adds malware without any supporting endpoint indicators. Option D assumes compromise and password change, but the log pattern and user confirmation support a benign explanation instead.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.