Free Microsoft Identity SC-300 Actual Exam Questions - Question 3 Discussion
What should you do?
Option A makes the most sense since multi-stage attack detection relies on specific correlation rules. Data connectors (C) just feed data in; they don’t set detection criteria.
It’s A for me. Data connectors (C) bring in info, but they don’t do detection themselves. Playbooks (D) handle response after an alert fires, so they’re not about detecting multi-stage attacks either. Workbooks (B) are just for visualization and analysis, not actual detection. Customizing the rule logic lets you define the correlation and sequence needed to spot multi-stage attacks in real time, which fits the requirement best.
C/D? Data connectors pull data, but playbooks automate responses after detection.
C configuring data connectors is key to bringing in the right signals for multi-stage attack detection before any rules or playbooks come into play. Without proper data, detection logic won’t be effective.
Maybe D could work since playbooks automate responses and can correlate alerts from different stages, but customizing rules (A) definitely targets detection more directly.
It’s A, customizing the rule logic feels right here.