ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 59 discussion

Actual exam question from Microsoft's SC-200
Question #: 59
Topic #: 3
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft Sentinel workspace named sws1.

You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in sws1.

You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:

• Minimize administrative effort.
• Use the principle of least privilege.

How should you configure the credentials? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by ACSC at Jan. 29, 2023, 10:20 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
evilprime
Highly Voted 2 years ago
guess it should be 'reader' with 'managed' see https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticate-with-managed-identity
upvoted 13 times
nsss
1 year, 2 months ago
You guessed wrong, the reader role does not have the necessary permissions to run a logic app. You can use it to authenticate, sure, but it's not enough for running it.
upvoted 4 times
user636
7 months, 3 weeks ago
The logic app does not need the responder because it will create incident in the external system & not in Sentinel. Reader is enough for the logic app to read the incidents generated in Sentinel.
upvoted 3 times
...
...
...
billo79152718
Highly Voted 1 year, 8 months ago
A managed identity Microsoft Sentinel Reader
upvoted 8 times
...
a_kto_to
Most Recent 5 days, 19 hours ago
ChatGTP: ✅ Answer: Role to assign: Microsoft Sentinel Responder Scope to assign the role: Resource group that contains the Sentinel workspace 🧠 Explanation: Microsoft Sentinel Responder Can view incidents and update their status or comments, which is sufficient for triggering actions in a logic app when incidents are created. Cannot create analytics rules, workbooks, or change workspace settings, so it aligns well with least privilege. Scope at resource group level: This limits the permissions to just the resource group that contains sws1, again helping follow least privilege.
upvoted 1 times
...
smanzana
8 months, 3 weeks ago
Managed identity Microsoft Sentinel Reader
upvoted 2 times
...
Ramye
1 year, 1 month ago
Based on the Sentinel role permission (RBAC), I think the answers are: - Managed Identity - Sentinel Responder (because this can assign incident as outlined below) Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
upvoted 5 times
Ramye
1 year, 1 month ago
Upon further reading the link shared be Evilprime, it’s most likely Sentinel Reader. Permissions required Roles / Connector components Triggers "Get" actions Update incident, add a comment Microsoft Sentinel Reader ✓ ✓ ✗ Microsoft Sentinel Responder/Contributor ✓ ✓ ✓
upvoted 2 times
uday1985
11 months, 1 week ago
it dictates "raising" not "updating" an incident
upvoted 1 times
...
...
...
kabooze
1 year, 5 months ago
I hate these kind of questions. Honestly I can't tell what is "easier" a managed identity or a service principal. I know that the documentation says service principal is preffered. Sigh....
upvoted 1 times
...
chepeerick
1 year, 5 months ago
Correct Option
upvoted 1 times
...
chepeerick
1 year, 6 months ago
Correct answer
upvoted 2 times
...
SaHaGe
1 year, 6 months ago
The same scenario tells you that the logic app is going to generate an incident. "You plan to create an Azure logic app that will raise an incident..." The reader can only view incidents, the responder has the ability to generate them. The suggested answer is correct.
upvoted 2 times
wheeldj
11 months, 4 weeks ago
the logic app is raising the incident in the ITSM tool, not sentinel so this has no bearing on which sentinel role to choose.
upvoted 1 times
...
...
RV025
1 year, 7 months ago
I would say: Service principle since that can be assigned the least privilege without having to create a user in the AD. Since no automation creation of incident handling is needed, sentinel reader role would suffice
upvoted 2 times
...
donathon
1 year, 8 months ago
A managed identity Microsoft Sentinel Reader
upvoted 5 times
...
ACSC
2 years, 2 months ago
Answer is correct. https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticate-with-managed-identity https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-specific-roles
upvoted 6 times
PhoenixSlasher
2 years, 2 months ago
Surely Reader is all that is required if MS Reader can view Incidents (doesn't mention in scenario whether the Logic App will manage the Incident on Sentinel side, only raise an incident in an ITSM elsewhere when incident is raised in sentinel <> view required only?
upvoted 13 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago