Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

After reviewing an incident in Microsoft Sentinel, you conclude that it is an active attack. You need Sentinel to automatically run a Logic App playbook that disables the compromised Azure AD account whenever an incident changes to Active and its severity is High. You want the automation to occur without analyst interaction and with minimal delay. What should you configure?

  • Use Microsoft 365 Defender advanced hunting to run a live response action when the query matches the user account.

  • Attach the playbook to the analytics rule that generated the alerts as an alert automation action.

  • Add the playbook as a manual action button on the incident page for analysts to run when needed.

  • Create an automation rule that is triggered on incident updates, scoped to status Active and severity High, and add the playbook as an action.

Microsoft Security Operations Analyst Associate SC-200
Manage incident response
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot