Exam MS-500 topic 2 question 51 discussion

Entity mapping is an integral part of the configuration of scheduled query analytics rules. It enriches the rules' output (alerts and incidents) with essential information that serves as the building blocks of any investigative processes and remedial actions that follow. The procedure detailed below is part of the analytics rule creation wizard. It's treated here independently to address the scenario of adding or changing entity mappings in an existing analytics rule.

correct answer : You have the flexibility to group alerts into a single incident per the following logic: Grouping alerts into a single incident if all the entities match (recommended) Grouping all alerts triggered by this rule into a single incident Grouping alerts into a single incident if the selected entities match (Account, Host, IP, URL) link to group mapping :https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-reduce-alert-noise-with-incident-settings-and-alert/ba-p/1187940

I would go for C: confusing If you are creating a scheduled query rule in Azure Sentinel, you should select option A, From Set rule logic, map the entities. This is the more specific and correct answer for this question. Option C, From Set rule logic, set Suppression to Off, is also a correct answer, but it is more general and can be used to consolidate alerts from any type of rule. Once you have mapped the entities, Azure Sentinel will recognize alerts generated by the rule that share the same entity as part of the same incident. This consolidation allows for better management and analysis of the alerts, simplifying incident response and reducing duplication.

Valid on28/01/23

From the docs, "Entities enrich the rules' output (alerts and incidents) with essential information... They are also the criteria by which you can group alerts together into incidents in the Incident settings tab." 'A' is correct