DRAG DROP -
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Select and Place:
DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop" ) and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType This is the correct answer , I tested it .
If you tested it I will go with you!
DigitalNomad is correct.
I concur
correct.
I think the third box is answered wrong. ActionType == "LogonFailed" should be the correct answer.
Thrilled to announce my success in the SC-200 exam Their comprehensive materials and practice tests were instrumental in my preparation journey. https://pin.it/69fXkZQJ6
Only 3 types of ActionType exist based on the schema. Try yourself with a long time range (e.g below last 14days) DeviceLogonEvents | where TimeGenerated >= ago(14d) | distinct ActionType Result: LogonSuccess LogonFailed LogonAttempted That should clear the doubts that "LogonFailed" is the correct option, not "FailureReason". Strongly suggest going through the official schema and the actual query for validation.
Tested, ActionType == LogonFailed
DeviceLogonEvents |where Devicename in ("CFOlaptops", "CEOLaptop") and ActionType == "LogonFailed" |summarize LoginFailures=count() by DeviceName, LogonType
The correct answer is: DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType Here is a brief explanation of how this query works: The DeviceLogonEvents table is selected, which contains logon events for devices. The where clause filters the events to only include those that have a DeviceName of CFOLaptop, CEOLaptop, or COOLaptop, and an ActionType of FailureReason. This effectively filters the events to only include failed logon events from the specified devices. The summarize clause counts the number of events that match the previous criteria, grouping the results by DeviceName and LogonType. The count() function counts the number of events in each group, and the LogonFailures alias is used to label this count in the resulting output.
How can a reason be an action???? Action type is a reason, did you hear yourself?
Question in Exam today
On exam 2-11-2023
Under DeviceLogonEvents schema, below are the ActionType values available and FailureReason is the column in the schema that can be fetched ActionType values: LogonAttempted LogonFailed LogonSuccess and hence the answer is ActionType == 'LogonFailed' ; also a string should be mentioned in a single or double quotes
On the test July 7 2023
Hi All, Checked again in real environment. Shown answer is not correct as Failure Reason is not one fo the ActionTypes and no result by this search. Correct Answer is ; -------------- DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop", "COOLaptop") and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType
In given answer, ActionType should be "LogonFailed".
correct Answer is DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType
Correct answer should be: ActionType="LogonFailed". When running this query, there is no any result returned. DeviceLogonEvents | where ActionType == FailureReason
Correct
Please fix this answer