Question 17 - Microsoft SC-200 Security Operations Analyst Real Exam Questions [Jan 2026 Update]

Q: 17

You are investigating an incident in Azure Sentinel that contains more than 127 alerts. You discover eight alerts in the incident that require further investigation. You need to escalate the alerts to another Azure Sentinel administrator. What should you do to provide the alerts to the administrator?

Options

Correct Answer:

Explanation

The most appropriate and formal method to escalate an incident in Azure Sentinel to another administrator is by assigning it. Assigning an incident officially transfers ownership and responsibility for the investigation and remediation. This action updates the incident's Owner property, which is crucial for tracking, workflow management, and ensuring clear accountability. While you can share a link, assigning is the built-in, procedural mechanism for escalation within the Sentinel platform. The new owner will then be responsible for investigating the entire incident, including the eight specific alerts you identified.

Why Incorrect

A. Create a Microsoft incident creation rule: This is an automation setting used to automatically create incidents from Microsoft security service alerts; it is not used to manage or escalate existing incidents.

B. Share the incident URL: This is an informal way to notify someone. It does not formally transfer ownership or responsibility, making it difficult to track the escalation process.

C. Create a scheduled query rule: This is a type of analytics rule used to generate new alerts and incidents based on a KQL query, not for managing or escalating existing ones.

References

1. Microsoft Learn. (2023). Investigate incidents with Microsoft Sentinel.

Section: "Assigning incidents and changing status and severity"

Quote/Content: "Assign an incident to an owner to take responsibility for its remediation. You can also assign incidents to a group... When you assign an incident to an owner

the owner's name appears in the incident details in the Owner field." This document explicitly describes assigning an incident as the method for transferring responsibility.

2. Microsoft Learn. (2023). Automatically create incidents from Microsoft security alerts.

Section: "Introduction"

Quote/Content: "Microsoft Sentinel allows you to automatically create incidents each time an alert is triggered in a connected Microsoft security service." This confirms that incident creation rules are for generating new incidents

not managing existing ones.

3. Microsoft Learn. (2023). Create custom analytics rules to detect threats.

Section: "Rule settings in the Analytics rule wizard - General tab"

Quote/Content: "Scheduled query rules run queries on a schedule

looking for events that might indicate a threat." This shows that scheduled query rules are for threat detection and alert creation

not incident management.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE