2026/2027 | 100% Correct Visual Questions with Screenshots
and Detailed Rationales | CySA+ Exam Prep | Pass
Guaranteed - A+ Graded
Note: Screenshots are described in [brackets] with visual elements detailed for study
reference
Domain 1: SIEM Analysis and Log Review (20 Questions)
[SCREENSHOT: Splunk Security Dashboard - Failed Authentication Timeline]
Visual Description: Splunk dashboard showing "Failed Login Attempts" timechart (last 4
hours), single source IP (192.168.1.105) showing 847 failed attempts in 10-minute span,
account lockout events, geographic map highlighting external IP origin (Russia), "Top
Source IPs" panel showing 192.168.1.105 with 94% of failed logins, baseline comparison
showing normal activity <10 failed logins/hour
Q1: Based on the Splunk dashboard visualization, which indicator MOST clearly
confirms an active brute force attack is in progress?
A. The geographic location showing Russia on the map (all external traffic is
suspicious)
,B. The account lockout events visible in the timeline (indicates policy enforcement, not
attack)
C. The spike of 847 failed attempts from single IP 192.168.1.105 in 10 minutes vs.
baseline of <10/hour [CORRECT]
D. The 4-hour time window selected (timeframe is irrelevant to attack identification)
Correct Answer: C
Rationale: The visual timechart spike from IP 192.168.1.105 represents the definitive
brute force indicator—mathematically impossible as legitimate activity (847 attempts in
10 minutes = 84.7 attempts/minute vs. baseline <0.17/minute). The red trend line
shows exponential growth characteristic of automated credential stuffing. Option A is
incorrect because geographic location alone doesn't confirm attack (could be legitimate
remote worker); the dashboard's "External Traffic" filter shows this IP is flagged for
volume, not just location. Option B shows policy working correctly (lockouts after failed
attempts), not the attack itself. Option D is a dashboard configuration element, not a
security indicator. The 94% concentration in "Top Source IPs" panel (visible in
screenshot's right column) further confirms single-source attack vs. distributed
attempts.
[SCREENSHOT: Windows Event Viewer - Security Log Detail]
Visual Description: Event ID 4625 (An account failed to log on) details pane showing:
Account Name: "ADMINISTRATOR", Account Domain: "CORP", Failure Reason: "Unknown
,user name or bad password", Sub Status: "0xC000006A" (incorrect password), Source
Network Address: "10.0.0.45", Logon Type: 3 (Network), Process Name: "NtLmSsp", 15
identical events in 3-minute window
Q2: Analyzing the Event Viewer screenshot showing multiple Event ID 4625 entries, what
specific logon characteristic indicates this is likely a network-based brute force attack
rather than local keyboard mis-entry?
A. The Account Name field showing "ADMINISTRATOR" (indicates privileged target)
B. Logon Type 3 (Network) visible in the Logon Type field [CORRECT]
C. The Failure Reason "Unknown user name or bad password" (generic failure message)
D. The Process Name "NtLmSsp" (NTLM security package)
Correct Answer: B
Rationale: Logon Type 3 (Network) in the detailed event properties (visible in the middle
pane of the screenshot) specifically indicates remote network authentication attempts
via SMB/RPC, distinguishing remote attacks from Logon Type 2 (Interactive) keyboard
entries. This is the critical differentiator visible in the log. Option A indicates target
selection but not attack vector. Option C appears in both local and remote failures.
Option D indicates authentication protocol but local NTLM usage also uses NtLmSsp.
The Source Network Address "10.0.0.45" combined with Logon Type 3 confirms remote
network origin—local failures would show Logon Type 2 with Source Network Address:
"-" or local IP.
, [SCREENSHOT: Syslog Server Output - Firewall Deny Logs]
Visual Description: Terminal window showing syslog entries: "Mar 15 14:23:45 fw01
kernel: [DROP] IN=eth0 OUT= MAC=00:50:56:c0:00:08 SRC=203.0.113.45
DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=TCP
SPT=54321 DPT=22 WINDOW=1024 RES=0x00 SYN URGP=0" repeated 50 times with
incrementing ID, destination port 22 (SSH), single source IP, SYN flag set, no established
connections
Q3: Based on the syslog screenshot showing repeated firewall DROP entries, what
attack technique is being attempted against destination 192.168.10.10?
A. TCP SYN flood / SSH port scanning from external source [CORRECT]
B. Successful SSH brute force with valid credentials
C. UDP amplification attack on port 22
D. Legitimate SSH administration traffic being blocked
Correct Answer: A
Rationale: The visual log pattern shows classic SYN scan indicators: (1) PROTO=TCP
with SYN flag set and URGP=0 (no urgent pointer), (2) DPT=22 (SSH target), (3) ID
incrementing sequentially (54321, 54322... indicating crafted packets), (4) [DROP]
action with no reply packets, (5) TTL=240 (typical for external sources), (6) LEN=40