Free Microsoft SC-200 Security Operations Analyst Actual Exam Questions - Question 8 Discussion
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
Sharing the incident URL (B) is the easiest way to let the other admin check those alerts without taking over the whole incident. It keeps things simple and flexible. B
B imo, sharing the incident URL lets the other admin access everything and decide what to focus on without locking the whole incident to them. It’s simpler than reassigning the entire incident.
D, since you can’t assign alerts separately, assigning the incident is necessary.
B imo, sharing the incident URL lets the other admin see everything and focus on those eight alerts without changing assignments. Assigning the whole incident feels too heavy-handed if you only need to escalate part of it.
Not B, sharing the URL doesn't actually transfer responsibility. The only way to officially hand over is by assigning the incident (D), even if it means all alerts go with it.
Assigning the incident (D) usually covers all alerts, not just a few. Since you only want to escalate specific alerts, maybe sharing the incident URL (B) lets the other admin focus on those eight? Not ideal, but might be the only way.
Makes sense to rule out A and C since they’re about creating rules rather than handling existing alerts. Sharing the URL with B might let the other admin view the incident, but it doesn’t actually escalate or assign responsibility. D sounds like the better fit because assigning the incident would formally hand it over to the other admin for further action. So I’d go with D here.
Options A and C feel off because they’re about creating rules, not sharing alerts already in an incident. B sounds tempting since sharing URLs is easy, but does it let the other admin manage or escalate those specific alerts? D might be the way to actually hand over responsibility for the incident and its alerts. Not sure if D only works on incidents or can handle selected alerts inside them though. Anyone else think just sharing the URL (B) could be risky if it doesn’t control permissions?