Microsoft Security, Compliance, and Identity Fundamentals SC-900 Practice Question

In Microsoft Sentinel, analytics rules are used to implement threat detection logic. You define a Kusto Query Language (KQL) query that looks for indicators of compromise in the data collected by Sentinel. The rule runs on a configurable schedule, evaluates the query results, and automatically creates an incident if the defined threshold or condition is met.

Other options do not provide this functionality:

• Data connectors are used to ingest data from various sources into Sentinel but do not generate alerts by themselves.
• Workbooks offer interactive dashboards for visualizing data and reporting but do not trigger incidents.
• Playbooks (built on Azure Logic Apps) automate responses after an alert or incident has been generated; they do not detect threats on their own.