Question 144 of 963
Implement a secure environmentmediumMultiple ChoiceObjective-mapped

DP-300 sys.dm_exec_sessions Practice Question

This DP-300 practice question tests your understanding of implement a secure environment. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: sys.dm_exec_sessions. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where Category == "SQLSecurityAuditEvents"
| where action_id_s == "LGIF"
| project TimeGenerated, client_ip_s, application_name_s, succeeded_s

You execute the following query:

SELECT c.client_ip, c.application_name FROM sys.dm_exec_sessions s JOIN sys.dm_exec_connections c ON s.session_id = c.session_id WHERE s.action_id = 'LGIF' AND s.state = 'ABORT';

What does this query return?

Exhibit

Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where Category == "SQLSecurityAuditEvents"
| where action_id_s == "LGIF"
| project TimeGenerated, client_ip_s, application_name_s, succeeded_s

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Successful login events with client IP and application name.

The query does not return failed login attempts because a failed login does not create a session in sys.dm_exec_sessions. The DMVs only contain information for authenticated (successful) sessions. While the WHERE clause filters on action_id='LGIF' and state='ABORT', these columns do not exist in these DMVs; as written, the query would likely return no rows or an error. However, if the columns were present, the DMVs still would not capture failed logins. The only plausible result among the options is successful login events (D), as the DMVs are sources for active session data.

Key principle: sys.dm_exec_sessions

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • All security audit events for the database.

    Why it's wrong here

    Incorrect. Security audit events are not stored in these DMVs.

  • Failed login events at the server level.

    Why it's wrong here

    Incorrect. Server-level failed login events are not captured here.

  • Failed login attempts to the database, including client IP and application name.

    Why it's wrong here

    Incorrect. Failed login attempts do not create sessions, so they are not represented in these DMVs.

  • Successful login events with client IP and application name.

    Why this is correct

    Correct. The DMVs only contain data for successful logins, so the query (if it were valid) would return information about active sessions, which are successful logins.

    Related concept

    sys.dm_exec_sessions

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap is that candidates assume failed login events are recorded in these DMVs. In reality, only successful authentications produce sessions; thus, the query returns no failed login data. If the question expects a positive result, it would be about successful logins.

Detailed technical explanation

How to think about this question

Under the hood, `sys.dm_exec_sessions` tracks session-level events, and `action_id` = 'LGIF' corresponds to the login failed event in the SQL Server Extended Events engine, which is logged when authentication fails (e.g., wrong password or non-existent user). The `state` column in this context reflects the session state; 'ABORT' means the session was terminated due to the failure, while successful logins would show 'RUNNING' or 'SLEEPING'. A real-world scenario is auditing failed logins to detect brute-force attacks, where capturing `client_ip` and `application_name` helps identify malicious sources and applications.

KKey Concepts to Remember

  • sys.dm_exec_sessions
  • sys.dm_exec_connections
  • Failed login events

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

sys.dm_exec_sessions

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. sys.dm_exec_sessions Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Review sys.dm_exec_sessions, then practise related DP-300 questions on the same topic to reinforce the concept.

Related practice questions

Related DP-300 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-300 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-300 question test?

Implement a secure environment — This question tests Implement a secure environment — sys.dm_exec_sessions.

What is the correct answer to this question?

The correct answer is: Successful login events with client IP and application name. — The query does not return failed login attempts because a failed login does not create a session in sys.dm_exec_sessions. The DMVs only contain information for authenticated (successful) sessions. While the WHERE clause filters on action_id='LGIF' and state='ABORT', these columns do not exist in these DMVs; as written, the query would likely return no rows or an error. However, if the columns were present, the DMVs still would not capture failed logins. The only plausible result among the options is successful login events (D), as the DMVs are sources for active session data.

What should I do if I get this DP-300 question wrong?

Review sys.dm_exec_sessions, then practise related DP-300 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

sys.dm_exec_sessions

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More DP-300 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-300 exam.