Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 3 question 78 discussion

Actual exam question from Microsoft's SC-200

Question #: 78
Topic #: 3

You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.

You need to create a new near-real-time (NRT) analytics rule that will use the playbook.

What should you configure for the rule?

A. the incident automation settings
B. the query rule
C. entity mapping
D. the Alert automation settings

Show Suggested Answer

Suggested Answer: B 🗳️

by Fez786 at Sept. 9, 2023, 7 a.m.

Comments

Submit Cancel

mali1969

Highly Voted 1 year, 2 months ago

Selected Answer: B

the answer is B. the query rule. To create an NRT rule, you need to follow these steps: From the Microsoft Sentinel navigation menu, select Analytics. Select Create from the button bar, then NRT query rule (preview) from the drop-down list. Follow the instructions of the analytics rule wizard.

upvoted 10 times

...

0d0dde7

Most Recent 2 weeks, 6 days ago

Selected Answer: D

A. the incident automation settings ❌ Incorrect — NRT rules don't generate incidents, so these settings won’t apply. B. the query rule ❌ Necessary for defining the logic, but not for linking the playbook. C. entity mapping ❌ Used to identify entities like IPs, accounts, etc. — useful but not related to triggering a playbook. D. the Alert automation settings ✅ Correct — This is where you attach a playbook directly to alerts generated by an NRT rule. ChatGPT

upvoted 2 times

...

Optimizor_IT

1 month, 4 weeks ago

Selected Answer: D

You need to configure the alert automation settings to trigger the playbook.

upvoted 1 times

...

e072f83

6 months ago

obsolete question: As of June 2023, you can no longer select playbooks to run directly from an analytics rule by adding it to the following list. Playbooks already in the list will continue to run until March 2026, when this method will be deprecated. Instead, to run a playbook in response to an alert generated by this analytics rule, create an Automation rule.

upvoted 4 times

...

DChilds

7 months, 2 weeks ago

Selected Answer: A

I am understanding the question to ask how you plan on making sure the new NRT rule uses the already existing playbook. You already know what query you will run, to make use of the already existing playbook you would have to configure the incident automation. Answer is A.

upvoted 1 times

DChilds

7 months, 1 week ago

I change my mind and go with B. The rule is what you configure for the NRT to use the playbook.

upvoted 1 times

...

luisM14

10 months ago

Selected Answer: A

for me is A. For a rule to use a playbook, you need to configure automation

upvoted 2 times

...

Murtuza

11 months ago

In the Set rule logic tab, you can either write a query directly in the Rule query field, the choice is B

upvoted 1 times

...

ApexPredator84

11 months, 1 week ago

In the exam on 21/12/2023

upvoted 2 times

...

NeoTactics

1 year ago

Selected Answer: A

I tested it and think it is "A". When creating a new NRT Rule, it is only possible to add a playbook when using "When incident is created trigger" or "When incident is updated". It is not possible to select "Alert" for NRT rule. So, as the question ask what needs to be done for the playbook to be triggered in the NRT rule, this should be "A"

upvoted 3 times

...

chepeerick

1 year, 1 month ago

Correct option

upvoted 1 times

...

Anil0512

1 year, 2 months ago

B You create NRT rules the same way you create regular scheduled-query analytics rules: From the Microsoft Sentinel navigation menu, select Analytics. Select Create from the button bar, then NRT query rule (preview) from the drop-down list. Follow the instructions of the analytics rule wizard

upvoted 1 times

...