Microsoft Security Operations Analyst Associate SC-200 Practice Question
You create a Logic App playbook named DisableCompromisedAccount that disables an Entra ID user account. During incident response you want the playbook to run automatically only when Microsoft Sentinel generates an incident with a severity of High or Critical. For incidents that have a Medium or Low severity, analysts must still be able to run the same playbook manually from the incident's Actions menu. Which Sentinel configuration should you implement?
Create an automation rule that triggers when an incident is created, add a condition for incident severity High or Critical, and configure the rule to run the DisableCompromisedAccount playbook.
Publish the DisableCompromisedAccount playbook as a playbook template and instruct analysts to deploy and run it manually when required.
Create a watchlist that stores the IDs of all High-severity incidents and configure the playbook to poll the watchlist periodically and disable accounts found there.
Attach the DisableCompromisedAccount playbook to the analytics rule that generates the alerts and pass the incident severity to the playbook so it exits if the value is not High or Critical.
An automation rule is evaluated each time an incident is created. By adding a condition that checks whether the incident's severity equals High or Critical and an action that runs the DisableCompromisedAccount playbook, the playbook is executed automatically for those severities only. Because the playbook uses the Microsoft Sentinel incident trigger, analysts can still run it on any incident manually from the incident Actions menu, regardless of the automation rule. Linking the playbook directly to an analytics rule, creating a template that must be deployed manually, or polling a watchlist would not provide both automatic execution for selected severities and on-demand manual execution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an automation rule in Microsoft Sentinel?
Open an interactive chat with Bash
What is a Microsoft Sentinel playbook and why is it used?
Open an interactive chat with Bash
How does the Microsoft Sentinel incident severity affect automation workflows?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage incident response
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .