Microsoft Security Operations Analyst — Question 91

You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?

Answer options

• A. a repository connection
• B. a watchlist
• C. an analytics rule
• D. an automation rule

Correct answer: D

Explanation

The correct answer is D, as an automation rule is required to trigger actions in response to alerts from Microsoft Sentinel. The other options, such as a repository connection, watchlist, and analytics rule, do not directly facilitate the automation of launching the logic app based on Azure AD alerts.