Select the answer that correctly completes the sentence.

In Microsoft Sentinel, automation is delivered through playbooks, which are built on Azure Logic Apps. Microsoft’s Sentinel documentation explains that playbooks “help automate and orchestrate your response to threats” and can be triggered by analytics alerts or incidents to run predefined actions. Typical automated tasks include “enriching alerts with data, blocking IP addresses, disabling users, or creating tickets,” allowing security teams to standardize and speed up their response and remediation processes. Sentinel also uses automation rules to decide when a playbook should run (for example, on incident creation or update), enabling consistent handling of common SOC tasks.

By contrast, the other options are not intended for automation: deep investigation tools are used to investigate incidents and entities; hunting search-and-query tools (built on KQL) are for proactive threat hunting rather than automating responses; and workbooks provide dashboards and visualizations for monitoring and reporting. Therefore, when the requirement is to automate common tasks—such as triggering actions across Microsoft 365 Defender, Azure, or third-party systems—the correct Sentinel capability is playbooks powered by Logic Apps. This aligns with the SCI guidance that emphasizes using Sentinel playbooks to “automate common workflows and response actions” and reduce manual effort while improving consistency and speed in security operations.