Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?
Enrichment helps validate the alert.
Why this answer
The playbook should investigate, contain, and notify. Pausing the incident is not standard; the playbook should run immediately. Creating a new Azure resource is not typically part of incident response.