Scribd
Upload
11 views2 pages

KQL ExamQuestions

kql questions

Uploaded by

qetji351
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views2 pages

KQL ExamQuestions

kql questions

Uploaded by

qetji351
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Instructions for this Exam

 This is an open book exam


 Paste screenshot of the answer along with the KQL used for Q1 to Q8.
 For Q1 to Q8 login to Azure portal & navigate to the lab demo here -
http://aka.ms/lademo
o Q1 to Q8 carry 2 marks
 You can use chatgpt, but don’t copy paste the answer, but give
explanation in your own words for Q9 & Q10.
o Q9 is 5 marks
o Q10 is 4

Questions
1) Detect Failed Logins from SignIn table

2) Write KQL for Computers with logons from guest accounts from Security
Events Table

3) Write KQL for Logons with clear text password by target account.

4) Write KQL to look into Syslog for computers with failed sudo login.

5) Write KQL to Count how many security or other critical updates are
missing using Update table.
6) Identify Admin Activities in Azure Activity Table using KQL

7) Identify Failed Login Attempts in past 1 hour in Azure Activity Table using
KQL

8) Summarize the count of IP Addresses which have perfromed Admin Actions


in past one hour from Azure Activity Table

9) Explain this KQL and what does it do

let timedelta = 10m;


SecurityEvent
// A user account was created
| where EventID == "4720"
| where AccountType == "User"
| project creationTime = TimeGenerated, CreateEventID = EventID,
Activity, Computer, TargetUserName, UserPrincipalName,
AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid
| join kind= inner (
SecurityEvent
// A user account was deleted
| where EventID == "4726"
| where AccountType == "User"
| project deletionTime = TimeGenerated, DeleteEventID = EventID,
Activity, Computer, TargetUserName, UserPrincipalName,
AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid
) on Computer, TargetUserName
| where deletionTime - creationTime < timedelta
| extend TimeDelta = deletionTime - creationTime
| where tolong(TimeDelta) >= 0
| project TimeDelta, creationTime, CreateEventID, Computer,
TargetUserName, UserPrincipalName, AccountUsedToCreate,
deletionTime, DeleteEventID, AccountUsedToDelete
| extend timestamp = creationTime, HostName =
tostring(split(Computer, '.', 0)[0]), DnsDomain =
tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), Name =
tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix =
tostring(split(UserPrincipalName, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain

10) What is the purpose of this KQL

let DecoyUserNameList = dynamic (["SQL01$","CH1-VM$"]);


SecurityEvent
| where TargetUserName in (DecoyUserNameList)
| where EventID in (4624,4625)
| summarize StartTime = min(TimeGenerated), EndTime =
max(TimeGenerated) by EventID, Computer, TargetUserName,
LogonTypeName, IpAddress

You might also like