Exam SC-200 topic 3 question 106 discussion

You can investigate by just viewing the Incident. The question does not specify that the user "manage" the Incident.

ChatGPT says A

Prerequisites The Microsoft Sentinel Responder role assignment is required to investigate incidents. Learn more about roles in Microsoft Sentinel. If you have a guest user that needs to assign incidents, the user must be assigned the Directory Reader role in your Microsoft Entra tenant. Regular (nonguest) users have this role assigned by default. https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents

A. Microsoft Sentinel Responder Explanation: Microsoft Sentinel Responder: This role allows User1 to investigate incidents, including viewing incidents, updating their status, and adding comments. It does not grant permissions to create or modify analytics rules, playbooks, or other configurations, which aligns with the principle of least privilege. Why not the other options? B. Microsoft Sentinel Contributor: This role grants full access to manage Microsoft Sentinel, including creating and modifying analytics rules, playbooks, and other configurations, which exceeds the required permissions. C. Microsoft Sentinel Automation Contributor: This role is used to manage automation rules and playbooks, not for investigating incidents. D. Microsoft Sentinel Reader: This role only allows viewing incidents and data but does not permit User1 to investigate or update incidents. Thus, the correct answer is A.

In Topic 4 Question 29 has a similar case, where “investigate” is required only. It is also marked as requiring the “Respond” role. Here Microsoft specifies that “investigate” requires the role of “respond”: https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents I think its a bad use of the word, and they shouldn't leave questions open to the imagination, but I'm going to go with A.

If you just need to investigate, read rights are enough. If you need to actually investigate and respond/solve the incident, you need to be a Responder.

The problem statement mentions that "User1 can investigate incidents using Workspace1." If it is just "investigation," it is possible with the Microsoft Sentinel Reader role. However, investigating incidents typically involves checking the details of the incident and, if necessary, changing the status of the incident or adding comments. These actions require the Microsoft Sentinel Responder role.

GPT4: The "Microsoft Sentinel Reader" role provides read-only access to Microsoft Sentinel resources, which includes viewing incidents, workbooks, and other data. However, it does not provide the necessary permissions to actively investigate or respond to incidents. For User1 to be able to investigate incidents, they need more than just read access; they need the ability to interact with and manage incidents. Therefore, the "Microsoft Sentinel Reader" role would not be sufficient for this purpose. The correct role to assign to User1 to ensure they can investigate incidents while adhering to the principle of least privilege is: A. Microsoft Sentinel Responder

To investigate the incident, read privileges are sufficient. Microsoft Sentinel Reader