SC-200 Manage a security operations environment • Set 18
SC-200 Manage a security operations environment Practice Test 18 — 15 questions with explanations. Free, no signup.
You are reviewing a Microsoft Sentinel analytics rule configuration. The rule is not generating incidents as expected. What is the most likely cause?
Refer to the exhibit.
{
"properties": {
"displayName": "MFA Disabled Alert",
"description": "Alert when MFA is disabled for a user.",
"severity": "Medium",
"enabled": true,
"query": "IdentityLogonEvents | where Application == 'Microsoft Entra ID' | where ActionType == 'MFA disabled' | summarize Count=count() by AccountUpn",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false
}
}