Microsoft 365 Security Administration — Question 85

You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) connector and an Office 365 connector.
From the workspace, you plan to create a scheduled query rule that will use a custom query. The rule will be used to generate alerts when inbound access to
Office 365 from specific user accounts is detected.
You need to ensure that when multiple alerts are generated by the rule, the alerts are consolidated as a single incident per user account.
What should you do?

Answer options

• A. From Set rule logic, map the entities.
• B. From Analytic rule details, configure Severity.
• C. From Set rule logic, set Suppression to Off.
• D. From Analytic rule details, configure Tactics.

Correct answer: A

Explanation

The correct answer is A because mapping the entities in the rule logic allows Azure Sentinel to group alerts by user account, thus consolidating them into a single incident. The other options do not address the consolidation of alerts and instead focus on different aspects of the rule configuration, such as severity settings or tactics, which do not impact incident grouping.