AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel • Set 14
AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel Practice Test 14 — 15 questions with explanations. Free, no signup.
You have a Microsoft Sentinel workspace that ingests data from multiple sources, including Azure Activity, Microsoft Entra ID, and Azure Firewall. You need to create a custom analytics rule that detects when a user signs in from an IP address that has been flagged as malicious in a threat intelligence feed. You have already imported threat intelligence indicators into Sentinel using the 'Threat Intelligence - TAXII' data connector. The threat intelligence indicators are stored in the 'ThreatIntelligenceIndicator' table. Which KQL function should you use in the analytics rule to match sign-in logs against the threat indicators?