Microsoft Security Operations Analyst — Question 96
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
Answer options
- A. the incident automation settings
- B. the query rule
- C. entity mapping
- D. the Alert automation settings
Correct answer: B
Explanation
The correct answer is B, as a near-real-time (NRT) analytics rule requires a query rule to define how the data is analyzed and what triggers the playbook. Options A and D pertain to incident and alert automation settings, which are not directly related to creating the analytics rule itself, while option C, entity mapping, is about mapping data but does not directly configure the analytics rule.