A security operations team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when an Azure virtual machine is created with a public IP address that is not in an approved list. Which type of rule should they use?
Correct. Scheduled query rules allow you to run a KQL query on a schedule and create incidents based on the results. This is ideal for checking new VM creations against an approved IP list.
Why this answer
A scheduled query rule is the correct choice because it allows you to define a KQL query that runs on a recurring schedule (e.g., every 5 minutes) to detect when an Azure VM is created with a public IP not in an approved list. This rule type is designed for custom detection logic that requires periodic evaluation of log data, such as AzureActivity logs or Azure Resource Graph, making it ideal for this scenario.
Exam trap
The trap here is that candidates confuse NRT rules with scheduled query rules, assuming NRT's lower latency is always better, but NRT rules lack the ability to reference external data sources like watchlists for dynamic approved IP comparisons.
How to eliminate wrong answers
Option B (NRT rule) is wrong because near-real-time rules are designed for low-latency detection (up to 2 minutes) but do not support the complex KQL logic needed to cross-reference a dynamic approved list; they are better suited for simple, high-frequency patterns. Option C (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in time-series data, not static comparisons against an approved list. Option D (Fusion rule) is wrong because fusion rules are prebuilt for multi-stage attack detection across different data sources, not for custom single-condition checks like VM creation with an unapproved public IP.