You have a playbook in Azure Sentinel. When you trigger the playbook, it sends an email to a distribution group. You need to modify the playbook to send the email to the owner of the resource instead of the distribution group. What should you do?
A.
Add a parameter and modify the trigger.
B.
Add a custom data connector and modify the trigger.
Because the question states that there is already an alert that "sends an email to a distribution group", you should add a parameter and modify the existing one, right? I would go for A instead.
why would you add another parameter? The question asked the email would go to Ownere rather than to a DL, so somehow the existing parameter needs to be updated, so the email only goes to the owner. Honestly not quite certain what would be the answer but am leaning toward C.
To modify your Azure Sentinel playbook so that it sends an email to the owner of the resource instead of a distribution group, follow these steps:
- Use the Microsoft Sentinel API or Azure Logic Apps connectors to extract the resource owner's email from the incident or alert.
- Modify the Email Action in the Playbook
- Test the Playbook
Source: Copilot
Correct Answer: C. Add a condition and modify the action
A. Add a parameter and modify the trigger – Parameters are useful for input customization but don't help identify and dynamically use the resource owner’s email.
B. Add a custom data connector and modify the trigger – This is unnecessary unless you're bringing in data from a completely new source. For this task, the owner info can usually be obtained from existing data or a Graph API call.
D. Add an alert and modify the action – The alert already exists. You don’t need to create a new alert to change how the playbook behaves.
The correct approach is to add a condition (to check or process the owner) and modify the email action to target the resource owner instead of a distribution group.
A. While this option is plausible, it assumes the resource owner’s identity is readily available in the trigger payload, which isn’t guaranteed without additional steps.
C. This approach could work if you retrieve the resource owner’s details (e.g., via an Azure Resource Manager or Microsoft Graph API call) and use a condition to decide when/how to send the email to that owner instead of the group. This is a practical way to adjust the recipient dynamically within the workflow.
I would go with C.
Answer is C.
Your goal is to send it to the owner of the resource. So you can use multiple Condition statements in your Logic App workflow to achieve this.
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-control-flow-conditional-statement?tabs=standard
To modify the playbook to send an email to the owner of the resource instead of the distribution group, you should choose Option A: Add a parameter and modify the trigger.
In Azure Sentinel, a playbook is essentially a Logic App. To change the recipient of the email, you would need to modify the action that sends the email. This can be done by adding a parameter to the action that specifies the owner of the resource as the recipient.
The trigger of the Logic App determines when the Logic App is run. If the trigger is currently set to run when an alert is generated, you would not need to modify the trigger to change the recipient of the email. However, if the trigger is not currently set to run when the resource owner changes, you would need to modify the trigger as well.
A is the correct!!
https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/forensic-artifacts-in-office-365-and-where-to-find-them/ba-p/3634865
I have a playbook like this in my lab. The Condition>Action is where we tell the playbook that we want it to email out and who we want to email it out to. So if you edit the condition and then the action we can change who gets the email when the playbook is triggered.
To modify the playbook to send the email to the owner of the resource instead of the distribution group, you should do the following:
Add a parameter and modify the trigger. This option allows you to define a custom value that the playbook uses, such as the email address of the resource owner. You can then use this parameter in the trigger condition or in the action settings4.
Add a condition and modify the action. This option allows you to check if the alert is related to the resource owner and then send an email to them using the Office 365 Outlook connector.
The other two options are not correct because:
Adding a custom data connector and modifying the trigger will not change the email recipient, but rather create a new source of data for Azure Sentinel.
Adding an alert and modifying the action will not change the email recipient, but rather create a new alert based on a condition or logic app action.
Correct answer is C
To modify the playbook to send the email to the owner of the resource instead of the distribution group, you should do the following:
C. Add a condition and modify the action.
A condition is a logic app expression that evaluates to true or false. You can use conditions to control the flow of your playbook based on certain criteria2. For example, you can add a condition that checks the owner of the resource from the alert or incident properties, and then use that value to modify the action that sends the email.
I would think A make more sense then D since the question wants to change the email recipient and not add a new one. So changing the Trigger is required.
https://learn.microsoft.com/en-us/azure/sentinel/use-playbook-templates#customize-a-playbook-from-a-template >> Look under parameters. The notification email is there.
The answer this is not A. Why would we modify the trigger? I have a playbook like this in my lab. The Condition is where we tell the playbook that we want it to email out and who we want to email it out to. So if you edit the condition and then the action we can change who gets the email when the playbook is triggered.
It is D. Just go build a playbook.
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincidents
The trigger would not need to change. So you are left with C and D. Adding a condition will not help you email the resource owner but an alert will.
You add a new alert that includes the resource owner and then set the action to use that alert based on the condition and trigger that were already working.
I would Agree with @So_Surreall on this one. The most professional answer would be to validate is the owner is defined and send to it. If no owner is defined then send to the DL...
This section is not available anymore. Please use the main Exam Page.SC-200 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Walaakb
Highly Voted 2 years, 2 months agoteehex
Highly Voted 3 years, 10 months agoLion007
2 years, 11 months agoLion007
2 years, 11 months agoariania
2 years, 10 months agoRamye
1 year, 3 months agoD_PaW
1 year, 12 months agoOneplusOne
Most Recent 1 week, 3 days agosc200latex
2 weeks agoOptimizor_IT
1 month, 3 weeks agotalosDevbot
7 months, 1 week agouser636
9 months agoSekpluz
11 months, 2 weeks agooricgoldfinger
1 year, 1 month agoluisM14
1 year, 4 months agoCollabGuy
1 year, 4 months agochepeerick
1 year, 7 months agodanb67
1 year, 7 months agomali1969
1 year, 8 months agomali1969
1 year, 8 months agodonathon
1 year, 9 months agodonathon
1 year, 8 months agodanb67
1 year, 7 months agodanb67
1 year, 7 months agodonathon
1 year, 8 months agoEM1234
1 year, 10 months agoD_PaW
1 year, 12 months ago