🔥 3-day streak
Microsoft Cybersecurity Architect Expert131 / 158
Question 131 of 158

A financial services company runs Microsoft Sentinel as its cloud-native SIEM. The SOC has strong analytics rules for known attack signatures but repeatedly misses slow, low-and-slow insider threats where a legitimate employee gradually accesses data outside their normal pattern. Leadership wants the security architect to add a detection capability that establishes behavioral baselines per user and entity, then surfaces deviations (impossible travel, anomalous data access volumes, unusual logon times) as enriched incidents that analysts can prioritize. Which Sentinel capability should the architect enable to meet this requirement with minimal custom rule development?

Reviewed for accuracy · Report an issueNext question