SPLK-5002 · Question #84
SPLK-5002 Question #84: Real Exam Question with Answer & Explanation
The correct answer is D. Search: index="main" sourcetype="ms:aad: signin" loginStatus=Failure | geostats. The correct sourcetype for Azure Active Directory sign-ins is ms:aad:signin, and filtering on loginStatus=Failure ensures only failed logins are shown. Using geostats with latitude and longitude fields allows plotting login attempts geographically, and a Cluster Map visualization
Question
Options
- ASearch: index="main" sourcetype="WinEventLog" | geostats latfield=geoCoordinates.latitude
- BSearch: index="main" sourcetype="ms:aad:signin" | geostats latfield=geoCoordinates.latitude
- CSearch: index="main" sourcetype="WinEventLog" loginStatus=Failure | geostats
- DSearch: index="main" sourcetype="ms:aad: signin" loginStatus=Failure | geostats
Explanation
The correct sourcetype for Azure Active Directory sign-ins is ms:aad:signin, and filtering on loginStatus=Failure ensures only failed logins are shown. Using geostats with latitude and longitude fields allows plotting login attempts geographically, and a Cluster Map visualization is best for quickly identifying failed logins originating outside of North America.
Community Discussion
No community discussion yet for this question.