SC-200 • Mock Exam 91
Free SC-200 mock exam — 25 questions with explanations. Set 91. No signup required.
Your company uses Microsoft Sentinel as its SIEM and has enabled User and Entity Behavior Analytics (UEBA) to detect insider threats. The UEBA timeline for a user shows several high-risk events, including unusual data exfiltration to an external site and multiple failed logons from a new geographic location. You are asked to create a custom analytics rule that generates an incident when a user exhibits both high-risk behaviors within a 24-hour period. You have the necessary KQL skills. However, when you test the rule, it does not generate any incidents even though the behavior exists. You have confirmed that the UEBA tables (BehaviorAnalytics, IdentityInfo) are populated and that the rule is enabled with a frequency of 1 hour. What is the most likely reason the rule is not firing?