Exam SC-200 topic 3 question 28 discussion

I would say B & D as you need the playbook to be created first then associated.

Hi all, I did the exam yesterday and this came up, I selected B&D and scored 925

Correct option

Add a playbook to Azure Sentinel that includes the action to send a message to a Microsoft Teams channel. Associate the playbook to the analytics rule that triggers the incident.

So the playbook was already created? You can associate if there is no playbook. I would have to pick B&D.

To send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel, you will need to perform two actions: Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an action to send a message to a Microsoft Teams channel. Associate a playbook to the analytics rule that triggered the incident: After creating the playbook, you will need to associate it with the analytics rule that triggered the incident. This can be done by navigating to the Analytics tab in Azure Sentinel, select the analytics rule that you want to associate the playbook with, and then selecting the "Associate Playbook" button and selecting the playbook that you created.

I think there is similar question but it was incident access from suspicious iPaddress and for that no need to enable entity behaviour hence the steps were Associate Playbook and Add playbook but for this issue is related to sign-in risk event which needed signin logs data source which has to enabled first, hence the answers changed to A and B

Answer is D Add a playbook B Associate a playbook to the analytics rule that triggered the incident. UEBA also requires data sources from Azure and/or Thirdparty and will be able to help analyze and investigate an incident. This is not relevant to the question. So we have to assume data connectors are in place.

B+D is the right way

Surely would be easier to connect Identity Protection to Sentinel than use the UEBA stuff... Which seems more for intelligent insider risk (i think - never used EUBA). I'd go B and D.

Answer is B and D

Correct answers A&B. You can't assume you have the data source needed to capture risky sign-ins. You should check whether you have the required data source on First then worry about how to do the rest. So answer A is required. Now that you are left with only one remaining correct answer. D on its on doesn't provide a complete solution (having a playbook on its own is not enough). Hence answer B provides a complete solution.

BD aswell

should be BD

A, Risky sign in has to do with Entity behavior analytics. B, agree with everyone else

It seems like answer A is related to the fact that it is "an incident representing a sign-in risk event" and sign in risks are in the category of Entity Behavior. Not sure, but that is only thing I can find to make answer A make sense.

The scenario in the link about playbooks goes along with answer B. Orchestration Use the SOC chat platform to better control the incidents queue. For example: A Microsoft Sentinel incident was created from an alert by an analytics rule that generates username and IP address entities. The incident triggers an automation rule which runs a playbook with the following steps: Start when a new Microsoft Sentinel incident is created. Send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident. Send all the information in the alert by email to your senior network admin and security admin. The email message will include Block and Ignore user option buttons. Wait until a response is received from the admins, then continue to run. If the admins have chosen Block, send a command to the firewall to block the IP address in the alert, and another to Azure AD to disable the user.