Question 158 of 236 from exam AZ-500: Microsoft Azure Security Technologies

Question 158 of 236 from exam AZ-500: Microsoft Azure Security Technologies

Question

HOTSPOT -

You suspect that users are attempting to sign in to resources to which they have no access.

You need to create an Azure Log Analytics query to identify failed user sign-in attempts from the last three days. The results must only show users who had more than five failed sign-in attempts.

How should you configure the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Explanations

The following example identifies user accounts that failed to log in more than five times in the last day, and when they last attempted to log in. let timeframe = 1d;

SecurityEvent -

| where TimeGenerated > ago(1d)

| where AccountType == 'User' and EventID == 4625 // 4625 - failed log in

| summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account

| where failed_login_attempts > 5

| project-away Account1

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples