Exhibit
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malicious IP Login Detection",
"description": "Detects logins from known malicious IPs",
"severity": "Medium",
"enabled": true,
"query": "SigninLogs | where IPAddress in (dynamic(['10.0.0.1', '192.168.1.1'])) | project TimeGenerated, UserPrincipalName, IPAddress",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": ["InitialAccess"],
"techniques": ["T1078"],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": null
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
}
}
}
```- A
The query uses a dynamic list incorrectly
Why wrong: The dynamic list is valid; the query should work.
- B
The rule does not have entity mapping configured
Entity mapping is required for incident creation; without it, incidents may not be generated.
- C
The suppressionDuration is incorrectly configured
Why wrong: Suppression is disabled, so it has no effect.
- D
The queryFrequency is set too high, causing missed events
Why wrong: 5 hours is reasonable; the query runs every 5 hours.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.