This DP-300 practice question tests your understanding of implement a secure environment. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: sys.dm_exec_sessions. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where Category == "SQLSecurityAuditEvents"
| where action_id_s == "LGIF"
| project TimeGenerated, client_ip_s, application_name_s, succeeded_s
You execute the following query:
SELECT c.client_ip, c.application_name
FROM sys.dm_exec_sessions s
JOIN sys.dm_exec_connections c ON s.session_id = c.session_id
WHERE s.action_id = 'LGIF' AND s.state = 'ABORT';
What does this query return?
Exhibit
Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where Category == "SQLSecurityAuditEvents"
| where action_id_s == "LGIF"
| project TimeGenerated, client_ip_s, application_name_s, succeeded_s
A
All security audit events for the database.
Why wrong: Incorrect. Security audit events are not stored in these DMVs.
B
Failed login events at the server level.
Why wrong: Incorrect. Server-level failed login events are not captured here.
C
Failed login attempts to the database, including client IP and application name.
Why wrong: Incorrect. Failed login attempts do not create sessions, so they are not represented in these DMVs.
D
Successful login events with client IP and application name.
Correct. The DMVs only contain data for successful logins, so the query (if it were valid) would return information about active sessions, which are successful logins.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Successful login events with client IP and application name.
The query does not return failed login attempts because a failed login does not create a session in sys.dm_exec_sessions. The DMVs only contain information for authenticated (successful) sessions. While the WHERE clause filters on action_id='LGIF' and state='ABORT', these columns do not exist in these DMVs; as written, the query would likely return no rows or an error. However, if the columns were present, the DMVs still would not capture failed logins. The only plausible result among the options is successful login events (D), as the DMVs are sources for active session data.
Key principle: sys.dm_exec_sessions
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
All security audit events for the database.
Why it's wrong here
Incorrect. Security audit events are not stored in these DMVs.
✗
Failed login events at the server level.
Why it's wrong here
Incorrect. Server-level failed login events are not captured here.
✗
Failed login attempts to the database, including client IP and application name.
Why it's wrong here
Incorrect. Failed login attempts do not create sessions, so they are not represented in these DMVs.
✓
Successful login events with client IP and application name.
Why this is correct
Correct. The DMVs only contain data for successful logins, so the query (if it were valid) would return information about active sessions, which are successful logins.
Related concept
sys.dm_exec_sessions
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap is that candidates assume failed login events are recorded in these DMVs. In reality, only successful authentications produce sessions; thus, the query returns no failed login data. If the question expects a positive result, it would be about successful logins.
Detailed technical explanation
How to think about this question
Under the hood, `sys.dm_exec_sessions` tracks session-level events, and `action_id` = 'LGIF' corresponds to the login failed event in the SQL Server Extended Events engine, which is logged when authentication fails (e.g., wrong password or non-existent user). The `state` column in this context reflects the session state; 'ABORT' means the session was terminated due to the failure, while successful logins would show 'RUNNING' or 'SLEEPING'. A real-world scenario is auditing failed logins to detect brute-force attacks, where capturing `client_ip` and `application_name` helps identify malicious sources and applications.
KKey Concepts to Remember
sys.dm_exec_sessions
sys.dm_exec_connections
Failed login events
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
sys.dm_exec_sessions
Real-world example
How this comes up in practice
A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. sys.dm_exec_sessions Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this DP-300 question in full detail.
Implement a secure environment — This question tests Implement a secure environment — sys.dm_exec_sessions.
What is the correct answer to this question?
The correct answer is: Successful login events with client IP and application name. — The query does not return failed login attempts because a failed login does not create a session in sys.dm_exec_sessions. The DMVs only contain information for authenticated (successful) sessions. While the WHERE clause filters on action_id='LGIF' and state='ABORT', these columns do not exist in these DMVs; as written, the query would likely return no rows or an error. However, if the columns were present, the DMVs still would not capture failed logins. The only plausible result among the options is successful login events (D), as the DMVs are sources for active session data.
What should I do if I get this DP-300 question wrong?
Review sys.dm_exec_sessions, then practise related DP-300 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
sys.dm_exec_sessions
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This DP-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-300 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.