MS-102 • Practice Test 33
Free MS-102 practice test — 15 questions with explanations. Set 33. No signup required.
You run the KQL query in Microsoft Defender XDR. The query returns a list of users who logged into Exchange Online more than 10 times in the last day from a single IP address. However, you notice that some IP addresses are internal corporate IPs. What should you add to the query to focus on suspicious logons from external IPs?
Refer to the exhibit. ```kusto // KQL query in Microsoft Defender XDR IdentityLogonEvents | where Timestamp > ago(1d) | where Application == "Exchange Online" | summarize TotalLogons = count() by AccountUpn, IPAddress | where TotalLogons > 10 | project AccountUpn, IPAddress, TotalLogons ```