Log Analysis PBQs: Exam AZ-500: Microsoft Azure Security Technologies
easyQuestion 1 of 3
You are an Azure security engineer who received a Microsoft Sentinel alert indicating a potential brute-force attack against an Azure AD user account. The alert fired about 15 minutes ago. Your team has asked you to review the Azure AD sign-in logs and Defender alerts in your Sentinel workspace to confirm the attack, identify the scope, and recommend a response. Flag all entries related to the brute-force activity and answer the incident questions.
Objectives
- •Review the Azure AD sign-in logs and Defender alerts for suspicious authentication activity
- •Flag all log entries related to the brute-force attack
- •Classify the type of security incident
- •Identify the attacker's source IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 08:00:00 | INFO | auth | Sign-in success: user:sarah.chen@contoso.com from 10.0.1.55 -- Azure Portal -- managed device | |
| 08:05:00 | INFO | activity-log | Microsoft.Compute/virtualMachines/read called by sarah.chen@contoso.com -- listing VMs in rg-production | |
| 08:10:00 | WARN | auth | Sign-in failure: user:j.rodriguez@contoso.com from 203.0.113.91 -- error: AADSTS50126 Invalid credentials (attempt 1) | |
| 08:10:05 | WARN | auth | Sign-in failure: user:j.rodriguez@contoso.com from 203.0.113.91 -- error: AADSTS50126 Invalid credentials (attempt 2) | |
| 08:10:10 | WARN | auth | Sign-in failure: user:j.rodriguez@contoso.com from 203.0.113.91 -- error: AADSTS50126 Invalid credentials (attempt 3) | |
| 08:10:15 | WARN | auth | Sign-in failure: user:j.rodriguez@contoso.com from 203.0.113.91 -- error: AADSTS50126 Invalid credentials (attempt 4) | |
| 08:10:20 | ALERT | auth | Sign-in failure: user:j.rodriguez@contoso.com from 203.0.113.91 -- error: AADSTS50126 Invalid credentials (attempt 5) | |
| 08:10:25 | ALERT | auth | Account lockout: user:j.rodriguez@contoso.com -- Smart Lockout triggered after 5 failed attempts from 203.0.113.91 | |
| 08:10:30 | ALERT | defender | Brute-force attack detected: 5 failed sign-ins in 30s targeting j.rodriguez@contoso.com from IP 203.0.113.91 (location: external) | |
| 08:12:00 | INFO | activity-log | Microsoft.Storage/storageAccounts/listKeys/action called by app:backup-automation -- storage account: stprodbackups | |
| 08:15:00 | INFO | auth | Sign-in success: user:m.kumar@contoso.com from 10.0.2.30 -- Teams client -- managed device | |
| 08:18:00 | INFO | activity-log | Microsoft.KeyVault/vaults/read called by sarah.chen@contoso.com -- vault: kv-prod-secrets | |
| 08:20:00 | INFO | activity-log | Microsoft.Sql/servers/databases/read called by app:monitoring-service -- database: sqldb-analytics |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 10 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete