ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 7 question 24 discussion

Actual exam question from Microsoft's SC-200
Question #: 24
Topic #: 7
[All SC-200 Questions]

Your on-premises network contains two Active Directory Domain Services (AD DS) domains named contoso.com and fabrikam.com. Contoso.com contains a group named Group1. Fabrikam.com contains a group named Group2.

You have a Microsoft Sentinel workspace named WS1 that contains a scheduled query rule named Rule1. Rule1 generates alerts in response to anomalous AD DS security events. Each alert creates an incident.

You need to implement an incident triage solution that meets the following requirements:

• Security incidents from contoso.com must be assigned to Group1.
• Security incidents from fabrikam.com must be assigned to Group2.
• Administrative effort must be minimized.

What should you include in the solution?

  • A. a playbook that is triggered by the creation of an incident
  • B. a playbook that is triggered by the creation of an alert
  • C. one automation rule assigned to Rule1
  • D. two automation rules assigned to Rule1
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by a_kto_to at March 10, 2025, 8:05 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
a_kto_to
4 days, 3 hours ago
Selected Answer: D
ChatGTP: ✅ Correct answer: D. Two automation rules assigned to Rule1 💡 Explanation: To assign incidents to different groups based on the originating domain (contoso.com or fabrikam.com) with minimal administrative effort, the best approach is to: Create two automation rules, each with a condition to check for indicators (like hostname, domain, or event source). Use the rules to automatically assign incidents to Group1 or Group2. ✅ Why two automation rules (Option D) is correct: Automation rules in Microsoft Sentinel can act on incident properties such as title, custom details, or mapped entities. Each domain (contoso.com / fabrikam.com) would likely be identifiable via a field in the alert/incident (e.g., domain name, hostname suffix). Creating one rule per domain ensures precise and maintainable logic, with clear ownership per domain. Requires less overhead than scripting or maintaining complex playbooks.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago