GIAC
GCFA · Question #326
GCFA Question #326: Real Exam Question with Answer & Explanation
Sign in or unlock GCFA to reveal the answer and full explanation for question #326. The question stem and answer options stay visible for context.
Question
John works as a Network Administrator for DigiNet Inc. He wants to investigate failed logon attempts to a network. He uses Log Parser to detail out the failed logons over a specific time frame. He uses the following commands and query to list all failed logons on a specific date: logparser.exe file:FailedLogons.sql -i:EVT -o:datagrid SELECT timegenerated AS LogonTime, extract_token(strings, 0, '|') AS UserName FROM Security WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539) AND to_string(timegenerated,'yyyy-MM-dd HH:mm:ss') like '2004-09%' After investigation, John concludes that two logon attempts were made by using an expired account. Which of the following EventID refers to this failed logon?
Options
- A529
- B534
- C531
- D532
Unlock GCFA to see the answer
You've previewed enough free GCFA questions. Unlock GCFA for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.