A security team uses Microsoft Sentinel. They want to create a custom detection rule that identifies a potential data exfiltration scenario: when a user signs in from an unusual location and then, within 30 minutes, performs a large download from Azure Blob Storage. They need to correlate sign-in logs from Azure AD with storage diagnostic logs. Which type of analytics rule should they create in Microsoft Sentinel?
Scheduled rules can run KQL queries that join multiple tables (e.g., SigninLogs and StorageBlobLogs) to correlate events and trigger alerts when the pattern is detected.
Why this answer
A scheduled query rule is correct because it allows you to write a KQL query that joins Azure AD sign-in logs (SigninLogs) with Azure Storage diagnostic logs (StorageBlobLogs) based on a user identifier, and then uses a time window (e.g., 30 minutes) to correlate the two events. This is the only rule type that supports custom KQL logic for multi-table joins and time-based correlation, which is essential for detecting the described exfiltration pattern.
Exam trap
The trap here is that candidates often confuse NRT rules with scheduled queries, assuming NRT's low latency is better for time-sensitive correlations, but NRT rules cannot handle multi-table joins or extended time windows, making scheduled queries the only viable option for this scenario.
How to eliminate wrong answers
Option B is wrong because NRT (near-real-time) rules run every minute with a 1-minute lookback and cannot perform complex joins across multiple tables or use time windows longer than a few minutes, making them unsuitable for correlating sign-in and storage logs over a 30-minute window. Option C is wrong because fusion rules are based on Microsoft's built-in machine learning models that correlate alerts from multiple products, not custom KQL queries; they cannot be tailored to join specific Azure AD sign-in logs with storage diagnostic logs. Option D is wrong because ML-based analytics rules use pre-built anomaly detection models (e.g., for unusual sign-in patterns) and do not support custom correlation logic across different data sources like sign-in logs and storage logs.