Knowledge check

1.

A security engineer needs to automatically close low-severity informational incidents that match a specific analytics rule, without running a Logic Apps workflow. Which Microsoft Sentinel feature meets this requirement?

An automation rule with a 'Close incident' action

A playbook triggered by the Microsoft Sentinel incident trigger

An analytics rule with automated remediation enabled

A Microsoft Sentinel workbook with a parameterized incident query

2.

A security engineer deploys a Logic Apps playbook to post a Teams notification when a high-severity Microsoft Sentinel incident is created. After deployment, the playbook fails on every run with an authorization error when calling the Microsoft Sentinel connector. What is the most likely cause?

The Logic App's managed identity hasn't been assigned the Microsoft Sentinel Responder role on the workspace

The playbook must be deployed in the same Azure region as the Microsoft Sentinel workspace

The analytics rule must have incident creation disabled when the workspace is onboarded to the Defender portal

The Logic App must use a service principal connection string instead of a managed identity

3.

Contoso's SOC needs a response workflow that queries an external threat intelligence API, evaluates the result, and then calls the Microsoft Defender for Endpoint API to isolate a compromised machine—all triggered automatically when a specific incident type is created. Which approach is most appropriate?

A playbook built in Azure Logic Apps with the Microsoft Sentinel incident trigger

An automation rule with a 'Change severity' and 'Assign owner' action sequence

A Microsoft Sentinel analytics rule with a KQL query that filters for the incident type

A Microsoft Sentinel automation rule that runs a built-in isolation action

Check your knowledge

Feedback