Question 452 of 1,639
Manage a security operations environmenteasyMultiple SelectObjective-mapped

Quick Answer

The answer is automation rules and playbooks based on Azure Logic Apps. Automation rules allow you to define triggers and actions—like assigning incidents, changing severity, or running a playbook—that execute automatically when an incident or alert is created, providing a lightweight, rule-based approach to incident response. Playbooks, built on Azure Logic Apps, extend this by enabling complex, multi-step workflows such as isolating a compromised VM, blocking an IP, or opening a service desk ticket, all without manual intervention. On the SC-200 exam, this distinction is critical: automation rules handle simple, immediate triage tasks, while playbooks handle orchestrated response sequences. A common trap is confusing playbooks with Logic Apps themselves—remember that playbooks are the Sentinel-specific wrapper that integrates Logic Apps directly into the incident lifecycle. Memory tip: think of automation rules as the “if-this-then-that” for incidents, and playbooks as the “full recipe” for response actions.

SC-200 Manage a security operations environment Practice Question

This SC-200 practice question tests your understanding of manage a security operations environment. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which TWO features are available in Microsoft Sentinel to automate incident response?

Question 1easymulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Playbooks based on Azure Logic Apps.

Playbooks based on Azure Logic Apps are correct because they provide a native, low-code automation framework within Microsoft Sentinel. They allow security analysts to define and execute complex, multi-step response actions—such as isolating a compromised VM, blocking an IP address, or opening a ticket—triggered by alerts or incidents. This directly automates incident response workflows without manual intervention.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Playbooks based on Azure Logic Apps.

    Why this is correct

    Playbooks automate response actions.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Workbooks.

    Why it's wrong here

    Workbooks are for dashboards, not automation.

  • Kusto Query Language (KQL) queries.

    Why it's wrong here

    KQL is used for querying, not automating response.

  • UEBA.

    Why it's wrong here

    UEBA is for anomaly detection, not automation.

  • Automation rules.

    Why this is correct

    Automation rules trigger playbooks or other actions automatically.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse detection or analysis tools (Workbooks, KQL, UEBA) with automation tools, failing to recognize that only Playbooks and Automation Rules provide the actual execution of response actions in Sentinel.

Detailed technical explanation

How to think about this question

Playbooks in Sentinel are built on Azure Logic Apps, which use connectors to integrate with hundreds of services (e.g., Microsoft Graph API for user management, Azure AD for conditional access, or third-party SIEMs). They can be triggered by automation rules or directly from incidents, and support conditions, loops, and parallel branches for sophisticated orchestration. A real-world scenario might involve a playbook that automatically disables a user account, revokes active sessions, and sends a Teams notification when a high-severity insider threat alert fires.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Manage a security operations environment — This question tests Manage a security operations environment — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Playbooks based on Azure Logic Apps. — Playbooks based on Azure Logic Apps are correct because they provide a native, low-code automation framework within Microsoft Sentinel. They allow security analysts to define and execute complex, multi-step response actions—such as isolating a compromised VM, blocking an IP address, or opening a ticket—triggered by alerts or incidents. This directly automates incident response workflows without manual intervention.

What should I do if I get this SC-200 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SC-200

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Which TWO of the following are valid ways to automate incident response in Microsoft Sentinel?

medium
  • A.Create a playbook using Azure Logic Apps.
  • B.Use Azure Functions to run a script.
  • C.Use PowerShell to modify incidents via API.
  • D.Use Microsoft Power Automate to create a flow.
  • E.Create an automation rule that triggers a playbook.

Why A: Option A is correct because Azure Logic Apps is the native workflow engine for Microsoft Sentinel playbooks, allowing security analysts to automate incident response actions such as blocking IPs, resetting passwords, or enriching alerts. Playbooks are triggered by automation rules or directly from incidents, and they leverage hundreds of connectors to integrate with external systems. This is the primary and recommended method for building automated response workflows in Sentinel.

Keep practising

More SC-200 practice questions

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.