GCIA Question #497: Real Exam Question with Answer & Explanation

John works as a Network Administrator for DigiNet Inc. He wants to investigate failed logon attempts to a network. He uses Log Parser to detail out the failed logons over a specific time frame. He uses the following commands and query to list all failed logons on a specific date: logparser.exe file:FailedLogons.sql -i:EVT -o:datagrid SELECT timegenerated AS LogonTime, extract_token(strings, 0, '|') AS UserName FROM Security WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539) AND to_string(timegenerated,'yyyy-MM-dd HH:mm:ss') like '2004-09%' After investigation, John concludes that two logon attempts were made by using an expired account. Which of the following EventID refers to this failed logon?