Question Analysis
Review the Linux process creation records to find which user account management utility was used to reactivate the previously locked and expired account.
d2b95631-62d7-45a3-aaef-0972cea97931
Question ID
11/16
Models Correct
1
Valid Answer
69%
Success Rate
Reference Answer
Human-validated correct answer for this question
usermod
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | usermod | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where (ProcessCommandLine contains "usermod" and (ProcessCommandLine contains "-U" or ProcessCommandLine contains "-e"))
or (ProcessCommandLine contains "chage" and ProcessCommandLine contains "-E")
or (ProcessCommandLine contains "passwd" and ProcessCommandLine contains "-u")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 4 | 46.47s | 0.0229 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | usermod | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FileName in ('usermod', 'passwd') and ProcessCommandLine has_any ('-U', 'unlock')
| project DeviceName, FileName, ProcessCommandLine, TimeGenerated | Correct | 1 | 11.05s | 0.0542 |
| gpt-4.1 | usermod | DeviceProcessEvents
| where FileName in~ ('usermod','passwd','chage','gpasswd','vipw','vigr')
| where ProcessCommandLine has_any('--unlock','-U','--expiredate','passwd')
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine | Correct | 1 | 4.79s | 0.0133 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0287 |
| gpt-4.1-mini | usermod | DeviceProcessEvents
| where FileName in ("usermod", "passwd", "chage", "gpasswd") or ProcessCommandLine has_any ("usermod", "passwd", "chage", "gpasswd")
| where ProcessCommandLine has_any ("reactivate", "unlock", "unlocked", "lock", "locked", "expire", "expired", "activate", "activated")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| summarize count(), make_list(ProcessCommandLine, 10) by FileName, AccountName
| order by count_ desc | Correct | 1 | 3.85s | 0.0025 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0013 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0681 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1552 |
| grok-3-mini-beta | usermod | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where ProcessCommandLine contains 'usermod' or ProcessCommandLine contains 'chage' or ProcessCommandLine contains 'passwd'
| where ProcessCommandLine contains '-U' or ProcessCommandLine contains '-E' // Filtering for unlock (-U) or expiration-related (-E) options
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FileName
| order by TimeGenerated desc | Correct | 1 | 12.27s | 0.0028 |
| o1-high | usermod | // Replace YOUR_TIME_FILTER with your desired time filter, e.g. TimeGenerated >= ago(7d)
DeviceInfo
| where OSPlatform == "Linux"
| join kind=inner (
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// you can adjust the file names or commands as needed
| where FileName in~ ("passwd", "usermod", "chage")
// look for keywords typical of reactivating/unlocking accounts
| where ProcessCommandLine has_any ("unlock", "-u", "-U", "--unlock")
) on DeviceId
| where TimeGenerated >= ago(7d) // or your custom time filter
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, AccountName, FileName, ProcessCommandLine, FolderPath
| order by TimeGenerated desc | Correct | 1 | 22.17s | 0.2161 |
| o1-low | usermod | DeviceProcessEvents
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId
) on DeviceId
| where ActionType == "ProcessCreated"
| where FileName in~ ("passwd", "chage", "usermod", "chpasswd")
| where ProcessCommandLine has_any (" -u", " -U", " -e", " -E", "unlock", "unexpire")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 2 | 39.26s | 0.3208 |
| o3-mini-high | usermod | DeviceProcessEvents
// Timerange is set externally via function parameters
| where FileName in ("usermod", "passwd", "chage")
| where ProcessCommandLine has_any ("-U", "--unlock", "unlock")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| distinct TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName | Correct | 2 | 34.94s | 0.0195 |
| o3-mini-low | usermod | DeviceProcessEvents
| where FileName has_any ("usermod", "passwd")
| where ProcessCommandLine contains "-U"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 11.43s | 0.0111 |
| o4-mini-high | usermod | DeviceProcessEvents
// Limit to process creation events
| where ActionType in ("ProcessCreated", "Start", "ProcessStart")
// Focus on known user account management utilities
| where FileName in ("passwd", "usermod", "chage", "gpasswd")
// Look for flags related to unlocking or re‐enabling accounts
| extend Cmd = ProcessCommandLine
| where Cmd has_any ("--unlock", "-u", "-U", "--expire", "-E")
// Only successful operations (if exit code is captured)
| extend ExitCode = toint(AdditionalFields.ExitCode)
| where isnull(ExitCode) or ExitCode == 0
// Restrict to Linux devices
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, OSPlatform
) on DeviceId
// Present the key details
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ExitCode
| sort by TimeGenerated desc | Correct | 3 | 72.29s | 0.0326 |
| o4-mini-low | usermod | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in ("passwd", "usermod", "chage")
| extend LowerCmd = tolower(ProcessCommandLine)
// passwd unlock flags, usermod unlock flags, chage expiredate flags
| where (FileName == "passwd" and (LowerCmd contains "-u " or LowerCmd contains "--unlock"))
or (FileName == "usermod" and (LowerCmd contains "-u " or LowerCmd contains "--unlock"))
or (FileName == "chage" and (LowerCmd contains "-e " or LowerCmd contains "--expiredate"))
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by TimeGenerated asc | Correct | 2 | 63.73s | 0.0179 |