🔥 3-day streak
Microsoft Security Operations Analyst137 / 190
Question 137 of 190
Your SOC needs to detect a specific high-severity event—the disabling of a critical Azure AD Conditional Access policy—with the lowest possible detection latency. You decide to create a Near-Real-Time (NRT) analytics rule in Microsoft Sentinel. During rule creation, you attempt to configure the query to join the AuditLogs table with the SigninLogs table across a 24-hour lookback to enrich the alert with recent sign-in context. The validation fails. Which characteristic of NRT rules explains this failure and represents the correct way to proceed?
Reviewed for accuracy · Report an issueNext question