Exam SC-200 topic 1 question 1 discussion

DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop" ) and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType This is the correct answer , I tested it .

I think the third box is answered wrong. ActionType == "LogonFailed" should be the correct answer.

ChatGPT says : DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") | where LogonType == "Failed" | summarize FailedSignInCount = count() by DeviceName

The correct answer is: DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType Here is a brief explanation of how this query works: The DeviceLogonEvents table is selected, which contains logon events for devices. The where clause filters the events to only include those that have a DeviceName of CFOLaptop, CEOLaptop, or COOLaptop, and an ActionType of FailureReason. This effectively filters the events to only include failed logon events from the specified devices. The summarize clause counts the number of events that match the previous criteria, grouping the results by DeviceName and LogonType. The count() function counts the number of events in each group, and the LogonFailures alias is used to label this count in the resulting output.

Please fix this answer

In given answer, ActionType should be "LogonFailed".

Hi All, Checked again in real environment. Shown answer is not correct as Failure Reason is not one fo the ActionTypes and no result by this search. Correct Answer is ; -------------- DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop", "COOLaptop") and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType

Correct

Correct answer should be: ActionType="LogonFailed". When running this query, there is no any result returned. DeviceLogonEvents | where ActionType == FailureReason

correct Answer is DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType

Only 3 types of ActionType exist based on the schema. Try yourself with a long time range (e.g below last 14days) DeviceLogonEvents | where TimeGenerated >= ago(14d) | distinct ActionType Result: LogonSuccess LogonFailed LogonAttempted That should clear the doubts that "LogonFailed" is the correct option, not "FailureReason". Strongly suggest going through the official schema and the actual query for validation.

Under DeviceLogonEvents schema, below are the ActionType values available and FailureReason is the column in the schema that can be fetched ActionType values: LogonAttempted LogonFailed LogonSuccess and hence the answer is ActionType == 'LogonFailed' ; also a string should be mentioned in a single or double quotes

Tested, ActionType == LogonFailed

DeviceLogonEvents |where Devicename in ("CFOlaptops", "CEOLaptop") and ActionType == "LogonFailed" |summarize LoginFailures=count() by DeviceName, LogonType

See DeviceLogonEvents options -> https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/devicelogonevents

Answer is correct DeviceLogonEvents | where DeviceName in ("CFOLaptop","CEOLaptop","COOLaptop") and ActionType == FailureReason | summarize count() by DeviceName, LogonType,TimeGenerated As far as I know ActionType contains only LogonSuccess, LogonAttempted and empty value. Empty value in same rows in columns ActionType and FailureReason means failed sign-in authentications.

ActionType == "LogonFailed" is the correct option,