Exam SC-200 topic 3 question 4 discussion

Personally i think that correct option is D.

Some people are saying this is correct as a logic app connector, actually this is referring to that as you have literally just deployed Sentinel, you need to add the AAD Connector to get that in first before you do anything. Need the data there first.

If you think about it, this question is not even a technical question, it's more like a 'common sense' question. Answer D, your trigger is a manual trigger, I doubt it would be useful when triggered from a Playbook.

Another poor question from MS I think. Define what 'deploy sentinel' means? if this implies you have literally just deployed a completely blank empty workspace then the answer is B. But if "you deploy Sentinel" means you build the workspace with the basic connectors and config to start ingesting data, then D is the answer. Working as a consultant if I told a customer I'd just 'Deployed Sentinel' but it had no data, no connectors, no rules I imagine they probably tell me to go back and finish the job! So I'm voting D

I was able to see my existing logic app under playbooks in Sentinel without creating a connector. Answer seems to be D

The Sentinel and AAD needs to integrate first before anything else, e.g. using the existing Logic App.

B. It said you just deployed Sentinel, so you have to add data connector to allow communication first before you can modify trigger for the alert.

the D is correct

Think it is B. You have just deployed sentinel. Have to able to communicate to Sentinel first so need to add data connector before you can modify trigger in logic app.

D for me

B for me

D. Modify the trigger in the logic app. To use an existing logic app as a playbook in Azure Sentinel, you need to change the trigger from manual to When a response to an Azure Sentinel alert is triggered or When a response to an Azure Sentinel incident is triggered. This will allow the logic app to run automatically when an alert or incident occurs in Azure Sentinel.

https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions The answers are split between B and D. I will go for D because I think the AAD is already connected to the logic app. Whether AAD is connected to seninel or not does not really matters since the question is asking to add the logic app as a playbook. Which means D make more sense.

trigger

Everyone the answer is B, confirmed and tested. Let me explain: Adding a data connector to Azure Sentinel is the first step to use the existing logic app as a playbook in Azure Sentinel. The data connector allows Azure Sentinel to trigger the Logic App as part of a playbook. Once the data connector is added, you can proceed to modify the trigger in the Logic App to ensure that it can be invoked by Azure Sentinel. It's important to note that modifying the trigger in the Logic App (option D) is also a crucial step in the process. However, based on the provided information, adding a data connector (option B) should be the first step.

asked gpt the exact question with the exact answers to choose from, it has chosen B

It's B It's an exising logic App. If you want to modify the trigger, you will not find any trigger related to Sentinel (tested in lab). You have to add the connector before seeing the Sentinel Trigger. NB: For Playbook created directly in Sentinel, everything is done by default.