Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to create a custom detection rule that triggers when a user is added to a privileged role in Microsoft Entra ID and within 5 minutes performs a mass download from SharePoint. Which approach should you use?
Sentinel scheduled rules can query multiple data sources and join them with time windows.
Why this answer
Option D is correct because the detection requires correlating events across Microsoft Entra ID (privileged role assignment) and SharePoint (mass download) within a 5-minute window. Microsoft Sentinel's scheduled query rules can ingest data from multiple sources (e.g., AuditLogs for Entra ID and SharePoint via Office 365 connector) and use KQL to join these events with a time constraint, making it the only native solution for cross-domain, time-bound custom detections.
Exam trap
The trap here is that candidates assume Microsoft 365 Defender (now Defender XDR) can correlate all Microsoft 365 data, but its custom detection rules are restricted to Defender XDR tables, not Entra ID or SharePoint audit logs, which are only available in Sentinel via dedicated connectors.
How to eliminate wrong answers
Option A is wrong because advanced hunting queries in Microsoft Defender XDR are limited to data within the Defender ecosystem (e.g., device, identity, email signals) and cannot natively query Microsoft Entra ID audit logs or SharePoint activity logs. Option B is wrong because Microsoft 365 Defender custom detection rules (now part of Defender XDR) only support data from Defender XDR tables (e.g., IdentityLogonEvents, CloudAppEvents) and cannot directly ingest Entra ID role assignment events or SharePoint download events with the required granularity. Option C is wrong because Microsoft Purview insider risk policies are designed for user behavior analytics and risk scoring based on predefined indicators, not for creating custom, time-bound correlation rules with specific event thresholds.