🔥 3-day streak
Microsoft Security Operations Analyst135 / 190
Question 135 of 190

Your SOC team built a scheduled analytics rule in Microsoft Sentinel that queries a custom firewall table and generates alerts for repeated blocked outbound connections. Analysts complain that the resulting incidents show no clickable entities, so they cannot pivot on the source host or user, and the investigation graph is empty. The KQL query already returns columns named SrcHostName, SrcUserName, and SrcIP. What should you configure on the rule to resolve this?

Reviewed for accuracy · Report an issueNext question