A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a single user attempts to sign in from more than three different countries within 10 minutes. Which tables and KQL operators are needed?
This correctly groups sign-in attempts by user and 10-minute bins, then counts distinct countries and filters for >3.
Why this answer
Option B is correct because it uses the `SigninLogs` table, which contains Azure AD sign-in events with geographic data, and the `summarize dcount(Country) by UserPrincipalName, bin(TimeGenerated, 10m)` pattern to count distinct countries per user within a 10-minute window. The `having dcount > 3` clause filters for users who signed in from more than three distinct countries, directly matching the requirement.
Exam trap
The trap here is that candidates confuse `count()` (total events) with `dcount()` (distinct values) and overlook the need for `bin()` to enforce the time window, leading them to choose Option A or C despite their invalid syntax or wrong table.
How to eliminate wrong answers
Option A is wrong because `make_set(Country)` creates a list of all countries, but `countof(Country)` is not a valid KQL operator; the correct approach is `dcount()` for distinct count, and the syntax `where countof(Country) > 3` would fail. Option C is wrong because `AADSignInEventsMicrosoft` is a table from Microsoft 365 Defender, not Sentinel's default sign-in logs, and `count()` aggregates total events per user without any country or time-window logic. Option D is wrong because `AzureActivity` logs Azure resource management operations, not user sign-ins, and `make_list(Country)` would not apply to sign-in geography.