Exam AZ-500 topic 1 question 31 discussion

-- KUSTO Query let timeframe = 1d; SecurityEvent | where TimeGenerated > ago(1d) | where AccountType == 'User' and EventID == 4625 // 4625 - failed log in | summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account | where failed_login_attempts > 5 | project-away Account1

too many repeat questions - Answer is correct.

Answer: C, The EventID and Count() parameters. Reason: To detect unsuccessful sign-in attempts, you need to use the EventID parameter to filter for failed sign-in events. The Count() function is used to aggregate and count these events per user. By using these together, you can identify users with more than five failed sign-in attempts, meeting the requirement of the query. Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/query-language

You don't need this part "latest_failed_login=arg_max(TimeGenerated, Account)". It is not important when the last login occurred, you already have a filter that will retrieve everything newer than the timeframe. Regarding timeframe, if you define, you should also use it like this "| where TimeGenerated > ago(timeframe)"

I was tricked because the question doesn't say it would be about on-premises AD logins. Entra ID signins have neither ActivityID not EventID column.

the answer is A as the question is asking only to show users who failed to sign in at least 5 times.

In Azure Log Analytics, you typically use the Kusto Query Language (KQL) to analyze and query data. When you want to detect unsuccessful user sign-in attempts and ensure that the results only show users who had failed to sign in more than five times, you need to count the occurrences of failed sign-ins per user and then filter the results based on that count. For sign-in logs, the relevant information is usually stored in fields like EventID (which identifies the type of event) and UserPrincipalName (or a similar field that identifies the user). The actual names of these fields can vary depending on how the data is structured in your specific Azure Log Analytics workspace. Option C, "The EventID and Count() parameters," is the closest to what you need, but it's important to use the correct KQL syntax and structure the query properly. Here's how you can structure the query:

Answer: C Explanation: KUSTO Query let timeframe = 1d; SecurityEvent | where TimeGenerated > ago(1d) | where AccountType == 'User' and EventID == 4625 // 4625 - failed log in | summarize failed_login_attempts=count(), latest_failed_login=arg_max(TimeGenerated, Account) by Account | where failed_login_attempts > 5 | project-away Account1 Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/examples

C. The EventID and Count() parameters.

C is the right answer

C. The EventID and Count() parameters.

To create an Azure Log Analytics query that detects unsuccessful user sign-in attempts and filters for users who failed to sign in more than five times, you would need to include the EventID and CountIf() parameters in your query. The EventID parameter helps identify the sign-in events, typically represented by specific event IDs in the logs. The CountIf() parameter allows you to specify a condition to count the occurrences that meet that condition. In this case, you would set the condition to count the unsuccessful sign-in attempts. Therefore, the correct answer is: A. The EventID and CountIf() parameters.

Answer A is correct. The count() function and countif() function are both used in Azure Log Analytics queries to count the number of records that match a certain condition. However, they differ in the way they apply the condition. The count() function simply counts all records in a given table, without applying any conditions. For example, count(*) would count all records in a table. The countif() function, on the other hand, applies a condition to the count operation. It counts the number of records that match a specific condition, specified using a Boolean expression. For example, countif(Severity == 'Error') would count the number of records where the severity is 'Error'. In summary, the count() function counts all records, while the countif() function counts only the records that match a specified condition.

SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(2d) | summarize count() by AccountName | where count_ > 5

C. The EventID and Count() parameters.

Correct answer. CountIf returns True of False and can used at a column. Count returns the number of records.

Ans is C. Example of the Kusto query at: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/failed-login-report-using-log-analytics-and-logic-apps/ba-p/745025