AZ-305 Design identity, governance, and monitoring solutions • Set 17
AZ-305 Design identity, governance, and monitoring solutions Practice Test 17 — 15 questions with explanations. Free, no signup.
You are investigating a security incident where an unauthorized user may have modified a production VM. You run the KQL query shown in the exhibit in Microsoft Sentinel, but it returns no results. The VMs are present and have been modified recently. What is the most likely reason for no results?
Refer to the exhibit.
```kusto
// KQL query used in a Microsoft Sentinel analytics rule
let VMList = dynamic(["vm-web-prod-01", "vm-web-prod-02"]);
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where ResourceId contains "virtualMachines/"
| extend VMName = extract("virtualMachines/([^/]+)", 1, ResourceId)
| where VMName in (VMList)
| where ActivityStatusValue == "Success"
| project TimeGenerated, VMName, Caller, ResourceGroup
```