πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 1
Domain 1 β€” Module 8 of 12 67%
8 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 1: Manage a Security Operations Environment Premium ⏱ ~12 min read

Sentinel Automation: Rules & Playbooks

Automate your SOC response with Sentinel automation rules and Logic App playbooks. Learn when to use each, how to configure them, and how they work together for SOAR.

SOAR: the automation layer

β˜• Simple explanation

Think of a restaurant kitchen. When an order comes in, you do not want the head chef personally handling every single ticket. Simple orders (toast, salad) should be routed automatically. Complex orders (the tasting menu) need the chef’s attention.

In Sentinel, automation rules are the ticket routing system β€” they automatically assign incidents, change severity, run playbooks, or close false positives based on conditions. Playbooks are the recipes β€” Logic Apps that take specific actions like sending a Teams message, blocking an IP, or enriching an alert with threat intel.

Together, they form SOAR (Security Orchestration, Automation, and Response) β€” your kitchen runs itself for the routine work.

Microsoft Sentinel’s SOAR capabilities consist of two components:

  • Automation rules β€” lightweight, condition-based rules that execute when incidents are created or updated. They can modify incident properties, run playbooks, or close incidents. No code required.
  • Playbooks β€” Azure Logic Apps workflows triggered by Sentinel. They connect to external services (Teams, ServiceNow, VirusTotal, email) and perform complex multi-step actions.

Automation rules are the orchestration layer (deciding what happens); playbooks are the execution layer (doing the work). This separation allows non-developers to configure routing while developers build sophisticated integrations.

Automation rules

Automation rules run every time an incident is created or updated that matches their conditions.

What automation rules can do

ActionExample
Assign ownerAuto-assign phishing incidents to the email security analyst
Change severityEscalate incidents involving executive accounts to High
Add tagsTag incidents from specific data connectors for tracking
Run a playbookTrigger enrichment or notification workflows
Close incidentAuto-close known false positives with a classification
SuppressPrevent incident creation for specific conditions

Automation rule structure

Every automation rule has:

  1. Trigger β€” when to evaluate (incident created, incident updated, alert created)
  2. Conditions β€” what to match (analytics rule name, severity, entities, tags, etc.)
  3. Actions β€” what to do (assign, tag, run playbook, close)
  4. Order β€” rules run in the configured order (1, 2, 3…). All matching rules execute β€” order determines priority when multiple rules try to set the same property (e.g., assign to different analysts). Higher-order rules can override lower-order ones for conflicting actions.
  5. Expiration β€” optional end date (useful for temporary suppressions)
πŸ’‘ Scenario: Anika's automation rules for 40 clients

Anika at Sentinel Shield configures automation rules per client workspace:

  • Rule 1 (Order 1): If analytics rule = β€œKnown false positive β€” backup server” β†’ close incident as Benign Positive
  • Rule 2 (Order 2): If severity = High AND entity contains β€œCEO” or β€œCFO” β†’ assign to Wei (Tier 2) + change severity to High + run β€œNotify-VIP-Incident” playbook
  • Rule 3 (Order 3): If severity = Medium β†’ assign to the on-call analyst rotation
  • Rule 4 (Order 4): All remaining incidents β†’ add tag β€œUnassigned” for triage review

Order matters: Rule 1 closes false positives before Rule 2 checks for VIP involvement.

Playbooks

Playbooks are Azure Logic Apps that perform automated actions when triggered by Sentinel.

Common playbook patterns

PatternWhat It DoesServices Used
EnrichmentLook up entities in VirusTotal, AbuseIPDB, ShodanExternal threat intel APIs
NotificationPost to Teams channel, send email, create ServiceNow ticketTeams, Outlook, ServiceNow
ContainmentBlock IP in firewall, disable user, isolate deviceDefender XDR, Entra ID, firewall API
RemediationReset password, revoke sessions, quarantine mailboxEntra ID, Exchange Online
SyncBi-directional incident sync between Sentinel and ITSM toolsServiceNow, Jira, PagerDuty

Playbook triggers

TriggerWhen It FiresUse Case
Microsoft Sentinel IncidentWhen an automation rule triggers the playbookMost common β€” incident-based automation
Microsoft Sentinel AlertWhen a specific alert firesAlert-level enrichment before incident creation
Microsoft Sentinel EntityWhen an entity is investigatedOn-demand enrichment during investigation
Automation rules orchestrate; playbooks execute complex workflows
FeatureAutomation RulesPlaybooks
What they areLightweight condition-action rules in SentinelAzure Logic Apps workflows
ComplexitySimple β€” no code, dropdown configurationComplex β€” multi-step workflows with connectors
ActionsAssign, tag, change severity, close, run playbookAnything Logic Apps can do (hundreds of connectors)
External integrationNo β€” Sentinel actions onlyYes β€” Teams, email, ServiceNow, APIs, etc.
Who creates themSOC analysts and leadsAutomation engineers and developers
Required roleSentinel ContributorLogic App Contributor + Sentinel Playbook Operator
πŸ’‘ Exam tip: who can create what

The exam tests role-based access for automation:

  • Automation rules β†’ requires Sentinel Contributor role
  • Playbooks (create/edit) β†’ requires Logic App Contributor role
  • Playbooks (run) β†’ requires Sentinel Playbook Operator role

A common trap: a Sentinel Contributor can create automation rules that reference playbooks, but cannot create or edit the playbooks themselves. If the question says β€œcreate a playbook,” the answer is Logic App Contributor.

Building a playbook step by step

  1. Create a Logic App in Azure (Consumption tier for Sentinel playbooks)
  2. Add the Sentinel trigger (incident trigger is most common)
  3. Add actions β€” parse the incident, extract entities, call external APIs
  4. Add Sentinel actions β€” update incident, add comment, change severity
  5. Authorise connections β€” each connector needs credentials (managed identity recommended)
  6. Test β€” trigger manually from an incident in Sentinel
  7. Connect to automation rule β€” the rule calls the playbook automatically
πŸ’‘ Scenario: Dev builds an enrichment playbook

Dev, the automation engineer at Pacific Meridian, builds an enrichment playbook:

Trigger: Microsoft Sentinel Incident (when automation rule fires)

Steps:

  1. Parse incident entities β€” extract IP addresses
  2. For each IP β†’ call VirusTotal API β†’ get reputation score
  3. For each IP β†’ call AbuseIPDB β†’ get abuse confidence score
  4. Add a comment to the Sentinel incident with enrichment results
  5. If any IP has VirusTotal score greater than 5 β†’ change incident severity to High
  6. Post summary to the SOC Teams channel

James creates an automation rule: β€œIf analytics rule = Suspicious Outbound Connection β†’ run Dev’s enrichment playbook.”

Question

What is the difference between automation rules and playbooks in Sentinel?

Click or press Enter to reveal answer

Answer

Automation rules are lightweight condition-action rules (assign, tag, close, run playbook) β€” no code needed. Playbooks are Azure Logic Apps that perform complex multi-step workflows with external service integrations (Teams, APIs, ITSM). Automation rules orchestrate; playbooks execute.

Click to flip back
Question

What role is required to create a Sentinel playbook?

Click or press Enter to reveal answer

Answer

Logic App Contributor (to create/edit the Logic App) plus Sentinel Playbook Operator (to run the playbook from Sentinel). A Sentinel Contributor can create automation rules that reference playbooks but cannot create the playbooks themselves.

Click to flip back
Question

In what order do automation rules execute?

Click or press Enter to reveal answer

Answer

Automation rules are evaluated in the configured order (1, 2, 3...). All matching rules execute their actions. When multiple rules try to set the same property (e.g., assign incident to different analysts), the rule with the higher order number wins. Use order to establish priority for conflicting actions.

Click to flip back
Knowledge Check

Anika needs phishing incidents at a client to automatically post a message to the SOC Teams channel. What should she configure?
Knowledge Check

Dev at Pacific Meridian creates a Logic App playbook for incident enrichment. He wants it to run automatically when high-severity incidents are created. What else needs to be configured?

🎬 Video coming soon

Next up: Automation handles the routine. Now let’s build the detections β€” custom detection rules in Defender XDR that turn your hunting queries into always-on monitors.

← Previous

Automated Investigation & Attack Disruption

Next β†’

Custom Detections in Defender XDR

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.