Exam SC-200 topic 3 question 78 discussion

the answer is B. the query rule. To create an NRT rule, you need to follow these steps: From the Microsoft Sentinel navigation menu, select Analytics. Select Create from the button bar, then NRT query rule (preview) from the drop-down list. Follow the instructions of the analytics rule wizard.

You need to configure the alert automation settings to trigger the playbook.

obsolete question: As of June 2023, you can no longer select playbooks to run directly from an analytics rule by adding it to the following list. Playbooks already in the list will continue to run until March 2026, when this method will be deprecated. Instead, to run a playbook in response to an alert generated by this analytics rule, create an Automation rule.

I am understanding the question to ask how you plan on making sure the new NRT rule uses the already existing playbook. You already know what query you will run, to make use of the already existing playbook you would have to configure the incident automation. Answer is A.

for me is A. For a rule to use a playbook, you need to configure automation

In the Set rule logic tab, you can either write a query directly in the Rule query field, the choice is B

In the exam on 21/12/2023

I tested it and think it is "A". When creating a new NRT Rule, it is only possible to add a playbook when using "When incident is created trigger" or "When incident is updated". It is not possible to select "Alert" for NRT rule. So, as the question ask what needs to be done for the playbook to be triggered in the NRT rule, this should be "A"

Correct option

B You create NRT rules the same way you create regular scheduled-query analytics rules: From the Microsoft Sentinel navigation menu, select Analytics. Select Create from the button bar, then NRT query rule (preview) from the drop-down list. Follow the instructions of the analytics rule wizard