Microsoft Sentinel playbooks can be triggered by different types of events—alerts, incidents, or entities. Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an incident trigger.
According to Microsoft Sentinel automation documentation:
“When you want automation to start after an incident is created or updated, use the incident trigger. This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”
This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto-closing incidents if they match certain conditions).
✅ Answer for Question 8:A. a playbook with an incident trigger
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit