Microsoft Security Operations Analyst Associate SC-200 Practice Question
Your organization uses Microsoft Sentinel to monitor three Azure subscriptions. A scheduled query analytics rule that detects suspicious PowerShell activity is producing many incidents, all from the development subscription named "SubDev." You must stop this rule from generating incidents for SubDev while still creating incidents for the two production subscriptions. The change must apply only to this rule and not affect others. What should you do?
Configure an incident suppression rule and set a scope condition that matches SubscriptionId = "SubDev".
Change the rule's alert grouping settings to group by SubscriptionId and enable suppression for the group that equals "SubDev".
Create an automation rule that automatically closes any incident the analytics rule raises when the SubscriptionId is "SubDev".
Edit the analytics rule's KQL query and add a filter that excludes records where SubscriptionId equals "SubDev".
For a scheduled query analytics rule, the most direct way to stop unwanted incidents for a particular source is to refine the rule's Kusto Query Language (KQL) statement. Adding a filter such as | where SubscriptionId != "SubDev" removes events from the development subscription before the rule evaluates its alert logic, so no alerts-or incidents-are produced for that subscription while the rule continues to run normally for the other subscriptions.
Creating an automation rule or playbook that closes incidents after they are raised does not prevent the alerts or incidents from being generated in the first place, so it does not meet the requirement to avoid creation. Microsoft Sentinel does not have an "incident suppression rule" or an alert-grouping setting that can selectively suppress incidents by subscription within a single rule; grouping only affects how incidents are consolidated, not whether they are created. Therefore, modifying the KQL query is the correct and most efficient approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is KQL and why is it relevant in this scenario?
Open an interactive chat with Bash
What is the difference between analytics rules and automation rules in Microsoft Sentinel?
Open an interactive chat with Bash
Why can't incident suppression rules or alert grouping be used in this case?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .