Refer to the exhibit. You are using this KQL query in a Microsoft Sentinel scheduled analytics rule to detect brute-force attacks. The rule has been running for a week but has never triggered an alert. What is the most likely reason?
Without data, the query returns no results.
Why this answer
Option B is correct because the query filters EventID 4625 (failed logon) and groups by Account. If the data source (SecurityEvent) is not being ingested, the query returns no results. Option A is wrong because the query is correct syntax.
Option C is wrong because the query uses a 24-hour lookback, which is fine. Option D is wrong because the query is a simple aggregation, not complex.