Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?
Trap 1: Configure an analytics rule to set the incident owner to the senior…
Analytics rules create incidents but do not set owners or trigger Teams messages.
Trap 2: Create a playbook that reassigns incidents and posts to Teams, and…
Playbooks do not reassign incidents; assignment is done by automation rules.
Trap 3: Create a workbook that filters high-severity incidents and…
Workbooks are for reporting, not incident handling.
- A
Configure an analytics rule to set the incident owner to the senior analyst and enable Teams integration in Sentinel settings.
Why wrong: Analytics rules create incidents but do not set owners or trigger Teams messages.
- B
Create a playbook that reassigns incidents and posts to Teams, and attach it to an automation rule triggered by high-severity incidents.
Why wrong: Playbooks do not reassign incidents; assignment is done by automation rules.
- C
Create a workbook that filters high-severity incidents and configure a Teams webhook in the workbook settings.
Why wrong: Workbooks are for reporting, not incident handling.
- D
Create an automation rule that runs when an incident is created with severity High, sets the owner to the senior analyst, and then runs a playbook to post a message to Teams.
Automation rules can assign owners and trigger playbooks that post to Teams.