HOTSPOT - You suspect that users are attempting to sign in to resources to which they have no access. You need to create an Azure Log Analytics query to identif...


Microsoft AZ-500 Exam

Questions Number: 245 out of 443 Questions
55.30%

Question 245
HOTSPOT -
You suspect that users are attempting to sign in to resources to which they have no access.
You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users who had more than five failed sign-in attempts.
How should you configure the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
AZ-500_245Q.png related to the Microsoft AZ-500 Exam



The following example identifies user accounts that failed to log in more than five times in the last day, and when they last attempted to log in. let timeframe = 1d;
SecurityEvent -
| where TimeGenerated > ago(1d)
| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in
| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account
| where failed_login_attempts > 5
| project-away Account1
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples





Previous Questions Next Questions