Exam SC-200 topic 3 question 20 discussion

No Creating a Microsoft incident creation rule for a data connector will not meet the goal of creating an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. An incident creation rule is used to create incidents in Azure Sentinel based on specific criteria, such as when a certain number of alerts are triggered within a certain timeframe. While an incident creation rule can be used in conjunction with data connectors to analyze data from other sources, it does not directly detect sign-ins from malicious IP addresses. To detect sign-ins from malicious IP addresses, you would need to create an analytics rule that looks for specific signs of a malicious IP address, such as a high number of failed login attempts or login attempts from a known malicious IP. Once the rule detects a sign-in from a malicious IP, it can trigger an alert, which can then be used to create an incident in Azure Sentinel.

YES. https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#configure-the-incident-creation-settings

Its a B

ChatGTP: NO, scheduled KQL query ✅ Correct approach: Create a Scheduled Analytics Rule in Sentinel using KQL.

Yes according to Copilot Yes, creating a scheduled query rule for a data connector in Azure Sentinel can meet the goal of creating an incident when a sign-in to an Azure virtual machine from a malicious IP address is detected. Here’s why: Scheduled Query Rule: This rule can be configured to run at regular intervals and check for specific conditions, such as sign-ins from malicious IP addresses. Data Connector: By using a data connector, you can ingest relevant log data (e.g., Azure Activity logs, Sign-in logs) into Azure Sentinel. Incident Creation: When the query detects a sign-in from a malicious IP address, it can trigger an alert, which can then be configured to create an incident in Azure Sentinel

No. Microsoft Incident Creation rule is to "pull" the incidents created by other Microsoft products (Defender for Endpoint, Defender for Cloud, etc) into Sentinel. This alone would not create an incident from a sign-in from a malicious IP address

Correct

The answer is A. Yes. Creating a Microsoft incident creation rule for a data connector is a valid way to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.

this question is duplicate of question 18 and doesn't make sense

Yes https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts

B - No. The key word is the "Creation" in "Incident Creation Rule" In Azure Sentinel, an Incident Creation Rule and an Incident Rule are two different components used in the incident management workflow: Incident Creation Rule: An Incident Creation Rule is responsible for identifying and creating incidents based on specific conditions or triggers. It is typically used to detect specific patterns, events, or anomalies in the collected data. When the conditions defined in the rule are met, an incident is automatically generated. Incident Rule: An Incident Rule, also known as an Analytics Rule, is responsible for performing analysis on the collected data to identify potential security threats or suspicious activities. It applies specific logic or queries to the data to identify notable events or behavior. When the rule's conditions are met, it generates a notable event, which can later be investigated and potentially escalated to an incident.

not meet the goal

Yes. Creating a Microsoft incident creation rule for a data connector can meet the goal of creating an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. You can create a query that searches for sign-ins to Azure virtual machines from suspicious or malicious IP addresses, and then use that query in a Microsoft incident creation rule. When the rule detects a match, it can create an incident in Azure Sentinel that contains details about the suspicious sign-in. This can enable security teams to investigate the incident and take appropriate actions to mitigate any threats.

YES https://docs.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-security-center-auto-connect-to-sentinel/ba-p/1387539

Correct - yes.

I think this is the correct answer , as this kind of alert is generated by ASC , so we need the Microsoft incident creation rule to create incidents from ASC into sentinel. see https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference