Log Analysis PBQs: Exam SC-100: Microsoft Cybersecurity Architect
easyQuestion 1 of 3
You are a cybersecurity architect reviewing cross-tenant access activity in your organization's Microsoft Sentinel workspace. A compliance analyst flagged an alert about an external guest account attempting to access resources in a subscription it was not authorized for. Your task is to review the Azure Activity Log and Azure AD sign-in logs to determine the scope of the unauthorized access attempts, flag all related entries, and recommend a response to the identity governance team.
Objectives
- •Review the Azure AD sign-in logs and Activity logs for unauthorized guest access attempts
- •Flag all log entries related to the suspicious guest account activity
- •Classify the type of security incident
- •Identify the guest account performing unauthorized access
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 10:00:00 | INFO | auth | Sign-in success: user:admin@contoso.com from 10.0.1.10 -- Azure Portal -- managed device | |
| 10:05:00 | INFO | activity-log | Microsoft.Resources/subscriptions/read called by admin@contoso.com -- subscription:Production | |
| 10:10:00 | INFO | auth | Sign-in success: guest:vendor.tech@externpartner.com from 203.0.113.60 -- Azure Portal -- unmanaged device | |
| 10:11:30 | WARN | activity-log | Microsoft.Resources/subscriptions/read called by vendor.tech@externpartner.com -- subscription:Production -- result: Forbidden (guest not authorized) | |
| 10:12:00 | WARN | activity-log | Microsoft.Compute/virtualMachines/read called by vendor.tech@externpartner.com -- rg-production -- result: Forbidden | |
| 10:12:30 | WARN | activity-log | Microsoft.Storage/storageAccounts/listKeys/action called by vendor.tech@externpartner.com -- stcustomerdata -- result: Forbidden | |
| 10:13:00 | ALERT | defender | Suspicious guest activity: vendor.tech@externpartner.com attempted 3 unauthorized resource access operations in 90 seconds across subscription:Production | |
| 10:15:00 | INFO | activity-log | Microsoft.KeyVault/vaults/read called by app:deployment-pipeline -- vault: kv-prod-secrets | |
| 10:17:00 | WARN | activity-log | Microsoft.KeyVault/vaults/secrets/list called by vendor.tech@externpartner.com -- vault: kv-prod-secrets -- result: Forbidden | |
| 10:18:00 | INFO | auth | Sign-in success: user:m.kumar@contoso.com from 10.0.2.30 -- Teams client -- managed device | |
| 10:20:00 | INFO | activity-log | Microsoft.Sql/servers/databases/read called by app:monitoring-service -- database: sqldb-analytics | |
| 10:22:00 | INFO | activity-log | Microsoft.Compute/virtualMachines/read called by app:monitoring-agent -- health check in rg-infrastructure |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 9 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete