A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?
Trap 1: Azure Activity Logs
Azure Activity Logs record resource management operations, not authentication attempts.
Trap 2: Office Activity Logs
Office Activity Logs capture activities in Exchange, SharePoint, etc., not Microsoft Entra ID sign-ins.
Trap 3: SecurityEvent
SecurityEvent collects Windows security events, not Microsoft Entra ID sign-ins.
- A
Azure Activity Logs
Why wrong: Azure Activity Logs record resource management operations, not authentication attempts.
- B
SigninLogs
SigninLogs contain successful and failed sign-in events needed to detect brute force attacks.
- C
Office Activity Logs
Why wrong: Office Activity Logs capture activities in Exchange, SharePoint, etc., not Microsoft Entra ID sign-ins.
- D
SecurityEvent
Why wrong: SecurityEvent collects Windows security events, not Microsoft Entra ID sign-ins.