Exam SC-200 topic 3 question 10 discussion

D - https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name

Correct answer is D Permanent failure - rule auto-disable due to the following reasons The target workspace (on which the rule query operated) has been deleted. The target table (on which the rule query operated) has been deleted. Microsoft Sentinel had been removed from the target workspace. A function used by the rule query is no longer valid; it has been either modified or removed. Permissions to one of the data sources of the rule query were changed. One of the data sources of the rule query was deleted or disconnected.

D https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules?source=recommendations

Answer is D As per Microsoft's own documentation on troubleshooting analytics rules: A rule is never autodisabled due to a transient failure One of their examples of transient failure is "A rule query takes too long to run and times out." The only rules that are auto-disabled are queries that have permanent failure. List as an example of permanent failure is "Permissions to one of the data sources of the rule query were changed" Link: https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules

C- In Microsoft Sentinel, if an analytics rule is automatically disabled and the rule name is prefixed with "AUTO DISABLED," it typically indicates that the query within the rule has failed repeatedly. One common cause of this issue is that the query takes too long to execute or times out, which can lead to the rule being automatically disabled to avoid consuming excessive resources.

C. The rule query takes too long to run and times out: Explanation: This is a common reason for Azure Sentinel to automatically disable a custom analytics rule. If a query takes too long to execute (usually due to complexity or large data volumes), it can lead to performance issues. Azure Sentinel may automatically disable such a rule to prevent it from impacting the overall performance of the system. Relevance: This is the most likely cause of the rule being automatically disabled and the name being prefixed with "AUTO DISABLED."

answer is C not D

A permanent failure occurs due to a change in the conditions that allow the rule to run, which without human intervention can't return to their former status. The following are some examples of failures that are classified as permanent: The target workspace (on which the rule query operated) was deleted. The target table (on which the rule query operated) was deleted. Microsoft Sentinel was removed from the target workspace. A function used by the rule query is no longer valid; it was either modified or removed. Permissions to one of the data sources of the rule query were changed (see example). One of the data sources of the rule query was deleted. https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules

A function used by the rule query is no longer valid; it has been either modified or removed. Permanent failure - rule auto-disabled Correct. For Transient failure there are two reasons and both are listed A rule query takes too long to run and times out. Connectivity issues between data sources and Log Analytics, or between Log Analytics and Microsoft Sentinel. Any other new and unknown failure is considered transient.

Option D. I think it is option D as both option A and C are for transient and question asked to pick one option. Also question says stopped while with transient failure it tries again to run the rule

Correct D.

Correct

The possible cause of the issue is D. Permissions to one of the data sources of the rule query were modified. Option C is not correct because the rule query timeout does not cause a rule to be disabled. The default timeout for a rule query is 10 minutes, but it can be extended up to 60 minutes by using the query_timeout parameter in the advanced settings. If a query exceeds the timeout limit, it will fail and generate an error, but it will not disable the rule.

https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#permanent-failure---rule-auto-disabled

Correct: ACD Transient reasons: * A rule query takes too long to run and times out. * Connectivity issues between data sources and Log Analytics, or between Log Analytics and Microsoft Sentinel. * Any other new and unknown failure is considered transient. Permanent reasons: * The target workspace (on which the rule query operated) has been deleted. * The target table (on which the rule query operated) has been deleted. * Microsoft Sentinel had been removed from the target workspace. * A function used by the rule query is no longer valid; it has been either modified or removed. * Permissions to one of the data sources of the rule query were changed. * One of the data sources of the rule query was deleted. Source: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name

D is correct.

Correct answer - D. Permission change stopped rule from connecting.