πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 2
Domain 2 β€” Module 5 of 10 50%
17 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 2: Respond to Security Incidents Premium ⏱ ~12 min read

Sentinel Incident Response

Sentinel is where every signal converges. Learn how to investigate incidents in Sentinel, use entity pages, manage incident workflows, and connect Sentinel response to the wider Defender XDR ecosystem.

Sentinel as the central nervous system

β˜• Simple explanation

Defender XDR watches Microsoft products. Sentinel watches everything.

Firewall logs, Linux servers, custom applications, third-party SaaS apps, cloud infrastructure β€” all of this feeds into Sentinel. When an analytics rule fires, Sentinel creates an incident that may combine alerts from multiple data sources into a single investigation.

As a SOC analyst working in Sentinel, you use the incident page to see all related alerts, entities, evidence, and timelines in one place. You use entity pages to deep-dive into specific users, devices, or IP addresses. And you use the investigation graph to trace relationships between entities.

Microsoft Sentinel aggregates security signals from across the entire digital estate. Incidents created by Sentinel analytics rules may contain alerts from any ingested data source β€” Defender XDR, third-party firewalls, custom log tables, Syslog, and more.

The Sentinel investigation experience includes: the incident page (summary, alerts, entities, evidence, comments), entity pages (user behaviour analytics, timeline, related alerts), the investigation graph (visual entity relationship mapping), and integration with UEBA (User and Entity Behavior Analytics) for behavioural context.

Sentinel incidents now surface in the unified Defender XDR incident queue, enabling analysts to investigate cross-domain incidents from a single pane of glass.

The Sentinel incident page

When you open a Sentinel incident, you see:

TabWhat It Shows
OverviewIncident summary β€” severity, status, owner, timestamps, classification
AlertsAll alerts grouped into this incident, with severity and detection source
EntitiesUsers, devices, IPs, URLs, file hashes involved in the incident
EvidenceRaw log data, email messages, files, processes linked to the alerts
CommentsAnalyst notes, investigation steps, decisions
Similar incidentsPast incidents with similar patterns for reference

Entity pages

Clicking an entity (user, device, IP) opens its entity page β€” a deep-dive view with:

  • Timeline β€” all activities involving this entity, chronologically
  • Related alerts β€” other alerts and incidents involving the same entity
  • UEBA insights β€” behavioural analytics showing whether the entity’s recent activity is anomalous
  • Sentinel Graph connections β€” relationships to other entities
πŸ’‘ Scenario: Anika investigates a Sentinel incident

Anika at Sentinel Shield opens a High-severity incident: β€œSuspicious outbound connection to known C2 IP.”

Investigation using the incident page:

  • Alerts tab: Two alerts β€” (1) Sentinel TI rule matched a C2 IP from the FS-ISAC feed, (2) Defender XDR custom detection for unusual PowerShell network activity
  • Entities: One device (ACME-WEB-03), one user (j.smith@acmecorp.com), one IP (198.51.100.42)
  • Entity page for ACME-WEB-03: Timeline shows a PowerShell process spawned by w3wp.exe (IIS worker), connected to the C2 IP, then downloaded a second-stage payload
  • UEBA insight: j.smith has never run PowerShell on this server before β€” anomalous

Verdict: Web server compromised via web shell. The IIS process was hijacked to execute PowerShell and establish C2 communication.

Response: Isolate the server, collect investigation package, alert the client, and begin forensic analysis.

The investigation graph

The investigation graph visually maps relationships between entities in an incident. It shows how users, devices, IPs, and files connect β€” helping you trace the attack chain.

Starting from the incident, you can:

  1. Expand entities to see their related alerts and activities
  2. Follow connections β€” device β†’ user β†’ IP β†’ file β†’ other devices
  3. Identify the blast radius β€” how far the attack spread
  4. Find the entry point β€” trace backwards from the compromised entity to the initial access

Incident management workflow

ActionWhen to Use
AssignRoute to the right analyst (Tier 1, Tier 2, or specialist)
Change severityEscalate if investigation reveals broader impact
Add tagsLabel for tracking: β€œVIP”, β€œCompliance”, β€œCampaign-2026-04”
Add commentsDocument investigation steps, findings, decisions
Run playbookTrigger automated enrichment, notification, or containment
Link to other incidentsConnect related incidents across time
Close and classifyTrue Positive, False Positive, or Benign True Positive with determination

Sentinel + Defender XDR unified experience

Sentinel incidents now appear in the unified Defender XDR incident queue. This means:

  • One queue for ALL incidents (Defender + Sentinel)
  • Cross-domain investigation (endpoint + identity + email + Sentinel data)
  • Unified entity pages combining Defender and Sentinel telemetry
  • Automated investigation can span both platforms
πŸ’‘ Exam tip: unified vs separate incident queues

The exam may reference both the Sentinel incident queue and the Defender XDR unified queue. Key point: Sentinel incidents surface in BOTH places. You can investigate from either portal.

The unified experience in Defender XDR is the recommended approach for most investigations because it combines all signal sources. The Sentinel-specific queue is useful when you need Sentinel-only features like the investigation graph, UEBA, or entity timelines.

Question

What tabs are available on a Sentinel incident page?

Click or press Enter to reveal answer

Answer

Overview (summary, severity, status), Alerts (all grouped alerts), Entities (users, devices, IPs, URLs, files), Evidence (raw log data), Comments (analyst notes), and Similar incidents (past incidents with matching patterns).

Click to flip back
Question

What does the Sentinel investigation graph show?

Click or press Enter to reveal answer

Answer

A visual map of entity relationships within an incident. You can expand entities to see related alerts, follow connections between users/devices/IPs/files, identify the blast radius of an attack, and trace the entry point by following the attack chain backwards.

Click to flip back
Question

Where do Sentinel incidents appear in the current architecture?

Click or press Enter to reveal answer

Answer

In both the Sentinel-specific incident queue AND the unified Defender XDR incident queue. The unified experience is recommended for most investigations as it combines signals from all Defender products and Sentinel in a single interface.

Click to flip back
Knowledge Check

Anika investigates a Sentinel incident and discovers that the compromised server (ACME-WEB-03) has connections to 5 other internal servers. How can she quickly visualise the blast radius?
Knowledge Check

A Sentinel incident contains alerts from a Sentinel analytics rule AND a Defender XDR custom detection. Where is the best place to investigate this cross-domain incident?

🎬 Video coming soon

Next up: Sentinel incidents are managed. Now let’s see how Copilot for Security accelerates your investigations with AI.

← Previous

Cloud App Security: Investigate Shadow IT

Next β†’

Copilot for Security: Your AI Analyst

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.