Q: 17
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
Options
Discussion
Option D makes sense here. Assigning the incident is the only way to actually escalate and track who owns it in Sentinel. B is tempting but just lets them view, not take control.
Between B and D here, but pretty sure it's D. Assigning the incident in Sentinel is the official way to hand it over for escalation and keeps the workflow clean with proper ownership. Sharing a link (B) just gives them view access but doesn't transfer responsibility. Seen similar advice in the official docs and practice tests, but anyone using other resources feel differently?
D . Assigning the incident actually changes the owner in Sentinel, so escalation is tracked. Sharing a link doesn't transfer investigation responsibility.
D Not totally sure but pretty sure you assign the incident so the other admin gets ownership in Sentinel. Someone confirm?
Assign the incident, so D. That's the built-in way to transfer escalation ownership in Sentinel.
I think D. Assign the incident is what you use in Sentinel for escalation and tracking, matches what I've seen in the official study guide and some lab scenarios. Sharing a URL just lets someone look, not actually escalate. Anyone find something different in practice exams?
Be respectful. No spam.
