Exhibit
Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/', 'MyScheduledRule')]",
"properties": {
"displayName": "MyScheduledRule",
"category": "Security",
"query": "SigninLogs | where ResultType == 50057",
"etag": "*"
}
},
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2022-11-01",
"name": "[concat(parameters('workspaceName'), '/', 'MyAlertRule')]",
"properties": {
"displayName": "MyAlertRule",
"description": "Detects disabled account sign-ins",
"severity": "Medium",
"enabled": true,
"query": "SigninLogs | where ResultType == 50057",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": null
}
}
}
]
}
```- A
The severity level 'Medium' is not supported.
Why wrong: Severity 'Medium' is supported.
- B
The rule is disabled because 'enabled' is set to true but there is a typo.
Why wrong: No typo; rule is enabled.
- C
The query 'SigninLogs | where ResultType == 50057' is invalid.
Why wrong: The query is valid and will return results.
- D
The saved search resource type is incorrectly used; it should not be included in the template.
The saved search resource is not a valid Sentinel alert rule; the alert rule is defined correctly but the template may cause deployment errors.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.