Question 74 of 130 from exam MS-500: Microsoft 365 Security Administration

Prev Question Next Question

Question

You are the IT administrator in a company with a Microsoft 365 subscription E3 subscription.

You suspect that a colleague of yours - testadmin -have signed into Azure with malicious intent this morning.

You need to perform an Audit log search from Security and Compliance Center for all User administration activities that he may have done this morning.

You select todays date as start date, and set the start time to 00:00 You select today as End date and set the current time as end time. And set the Activites as shown:

x Clear all to show results for all activities

Lhavieu leyuietury TeLUIU UpuLH TUF TELENUOH Fave
User administration activities
Added user
Reset user password
Updated user
Azure AD group administration activities
Added group
‘Added member to group
Application administration activities
‘Added service principal

Removed credentials from a service principal

IP address

Deleted user
Changed user password

Set property that forces user to change password

Updated group

Removed member from group

Removed a service principal from the directory

Added delegation entry

Set license properties

Changed user license

Deleted group

Set delegation entry

‘Added credentials to a service principal

Search

Activities

Added user, ... (8) >

Start date
2021-06-05 a 00:00
End date
2021-06-05 a 14:00
Users,

whizlabadrin@ a.

However the search results in no data.

What should you do?

Answers

A. Search again after 24 hours.

B. Change the selected Activities

C. Change the start time, you cannot start the search at 00:00

D. Search again immediately, as searches might not always result in data.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A

when searching for events associated with Azure Active Directory admin events it might take up to 24 hours for the log audit record to be returned in the result of the log search.

See Microsoft documentation:

© It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in
the results of an audit log search. The following table shows the time it takes for the different services in Office 365.

Microsoft 365 service or feature 30 minutes 24 hours
Defender for Office 365 and Threat Intelligence v

Azure Active Directory (user login events) v
Azure Active Directory (admin events) v
Data Loss Prevention v

Dynamics 365 CRM v

Option B is incorrect.

You have selected the correct activities, but you may need to wait up to 24 hours before the search return any data.

Option C is incorrect.

This is not correct, you can start the search at 00:00

Option D is incorrect.

You may need to wait up to 24 hours before the search return any data.

Reference:

To know more about audit log search, please refer to the link below:

Prev Question Next Question