SC-200 · Question #297
SC-200 Question #297: Real Exam Question with Answer & Explanation
The correct answer is D: 4. Each Microsoft security analytics rule in Microsoft Sentinel operates independently and, by default, creates its own incident when its conditions are triggered. Since User1's action matches all four rules (Rule1, Rule2, Rule3, and Rule4), each rule independently fires and generat
Question
You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1. WS1 uses Microsoft Defender for Cloud. You have the Microsoft security analytics rules shown in the following table. User1 performs an action that matches Rule1, Rule2, Rule3, and Rule4. How many incidents will be created in WS1?
Options
- A1
- B2
- C3
- D4
Explanation
Each Microsoft security analytics rule in Microsoft Sentinel operates independently and, by default, creates its own incident when its conditions are triggered. Since User1's action matches all four rules (Rule1, Rule2, Rule3, and Rule4), each rule independently fires and generates a separate incident - resulting in 4 total incidents in WS1. Incident deduplication or grouping only occurs if explicitly configured (e.g., using alert grouping settings within a rule). Without such configuration, there is a 1:1 relationship between triggered rules and created incidents.
Community Discussion
No community discussion yet for this question.