Exam SC-200 topic 3 question 89 discussion

It's A based on this: https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview other people say they get answer "b" out of this but i don't see it ....

Actually the correct answer is B. https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

The entity side panel of the Microsoft Sentinel timeline card is correct. In the new incident experience of Microsoft Sentinel (currently in preview), you can use the entity timeline to add alerts. This feature allows you to view all entities for a specific incident investigation and add alerts from the side panel. Therefore, if you are using the preview feature, this option is correct. Even considering that the entity timeline feature is in preview, it is the correct choice based on the content of the SC-200 certification exam. It is also important to understand the latest features and methods, as preview features may be included in the exam. cf:https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

Real life experience : Incidents blade > Select Incident > View full details in the right pane > Select Entities tab in the middle pane > Select an entity > clicl on the timeline card on the right pane > click on the plus sign on the right side of greyed shielded entities > add to exising or new incident. Not the most logical workflow, but it is what it is...

Sentinel > Incidents > open full details of an incident > select an entity (this will open the entity side panel which holds details about the entity) > click on the Timeline card > there's a plus sign symbol beside the alerts not included in the incident. Clicking that plus symbol will add that alert to the incident https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

What a mess. Microsoft has changed the GUI in Sentinel. In the old GUI you can access the Timeline in the incident page. Ref: https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases#how-to-investigate-incidents There is no "Timeline" tab available directly in Incidents pane in the new GUI. You need to open an Incident & then navigate to Entities tab & then select an entity and in the side pane select "Timeline" tab. Ref: https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview I'd go for the answer as B. A is anyways wrong, because there is no entity side panel of the Timeline card in Microsoft Sentinel. Rather there is the Timeline side panel of the Entities card in Microsoft Sentinel. :)

Option D: The Alerts page in the Microsoft 365 Defender portal This is where you can find and manage all alerts generated by Microsoft 365 Defender components, including Defender for Cloud Apps. From this portal, you can associate these alerts with existing incidents or create new incidents. This allows for a comprehensive view and management of security incidents across all Defender products.

A is correct

https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

By using the investigation graph in Microsoft Sentinel, you can explore connections between the existing Microsoft 365 Defender data and potentially find the relevant Defender for Cloud Apps alert related to the incident you're investigating. T

The wording for option A, B and C makes me doubt them as answers because 1. The Timeline card does not have an entity side panel, it's actually the entity side panel that has a Timeline card tab. 2. The timelines tab is not on the incidents page of Sentinel and 3. The investigation graph is not on the incidents page but rather on the incident details panel. The Alert page in Defender 365 portal does allow you to associate an alert with an incident, so this would be my choice. Thought on this?

Answer confirmed by items 5 & 6 listed here https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

The question is tricky. If you read the following link you will see in limitations that you cannot link defender alerts to defender incidents from Sentinel. You can only do that from Defender portal. https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

In the exam on 21/12/2023

In the entity page side panel, select the Timeline card. A is the correct choice based on the links provided

Based on the documentation below, I think the aswer is A. https://learn.microsoft.com/en-us/azure/sentinel/relate-alerts-to-incidents#add-alerts-using-the-entity-timeline-preview

Changed my mind. This question has annoyed. I use Sentinel and A, B or C as worded in the question does not allow us to link to another incident. However D does. I have alerts in Sentinel that have been ingested from Defender. If I go to the alert in Defender I can 'link to another incident