Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?
The XDR connector ingests MDE alerts and device info; scheduled query can detect high risk.
Why this answer
The Microsoft Defender XDR connector ingests alerts from Microsoft Defender for Endpoint (MDE) into Sentinel. A Scheduled query rule is required to run a KQL query at a defined interval (e.g., every 5 minutes) that checks for devices with a 'high risk' severity level in the ingested alert data. This combination allows you to create an incident when MDE reports a device as high risk.
Exam trap
The trap here is confusing the Microsoft Defender XDR connector (which covers MDE, MDO, MDI, and MDCA) with the Microsoft 365 Defender connector (which is deprecated or used for legacy scenarios), leading candidates to incorrectly choose Option B.
How to eliminate wrong answers
Option A is wrong because Anomalous Activity rules use machine learning to detect unusual patterns in time-series data, not to trigger on a specific static alert severity like 'high risk' from MDE. Option B is wrong because the Microsoft 365 Defender connector is used for Microsoft 365 Defender (formerly Microsoft Threat Protection) alerts, not for MDE alerts directly; also, NRT (near-real-time) query rules are designed for low-latency scenarios but require a specific connector (Microsoft Defender XDR) for MDE data. Option D is wrong because the Microsoft Defender for Cloud connector ingests security alerts from Azure and hybrid workloads, not from MDE endpoint devices; Fusion rules correlate multiple alert types across different products, not a single static condition.