AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel • Set 13
AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel Practice Test 13 — 15 questions with explanations. Free, no signup.
Your company has a Microsoft Sentinel workspace that ingests logs from multiple sources, including Azure Active Directory (now Microsoft Entra ID), Azure Firewall, and Microsoft 365 Defender. You are asked to create an analytics rule that detects when a user account is deleted from Microsoft Entra ID and then, within 24 hours, a large number of Azure resources are deleted in the same tenant. You have the following requirements: - The rule must use KQL to correlate events across two tables: AuditLogs (for user deletion) and ActivityLogs (for resource deletion). - The rule should trigger an incident only if more than 10 resources are deleted within 24 hours after the user deletion. - The incident severity should be set to 'High'. - The rule should run every hour and look back 24 hours. Which of the following is the correct KQL query for the analytics rule? (Choose the best option.)