🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-900 Domain 3
Domain 3 — Module 4 of 9 44%
16 of 28 overall

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit
Domain 3: Microsoft Security Solutions Premium ⏱ ~11 min read

Microsoft Sentinel: SIEM Meets SOAR

How Microsoft Sentinel collects security data from everywhere, detects threats with analytics and ML, investigates incidents, and automates responses with playbooks.

What are SIEM and SOAR?

☕ Simple explanation

Think of SIEM as a security camera room, and SOAR as the automated alarm system.

SIEM (Security Information and Event Management) is the room full of monitors. Every camera in the building — doors, car park, lobby, server room — feeds into this room. An analyst watches the screens, spots suspicious behaviour, and connects the dots: “That person entered the side door at 2am, walked past three cameras avoiding eye contact, and stopped at the server room. That’s not normal.”

SOAR (Security Orchestration, Automation, and Response) is the automated alarm system. When the cameras detect someone in a restricted area after hours, SOAR automatically locks the doors, alerts security, turns on floodlights, and starts recording in high resolution — without waiting for a human to press a button.

Microsoft Sentinel is both the camera room AND the alarm system — a cloud-native SIEM + SOAR in one platform.

SIEM collects, correlates, and analyses security log data from across an entire environment — servers, network devices, applications, identity systems, cloud services. It normalises data from different sources into a common format, applies analytics rules and machine learning to detect threats, and presents correlated incidents for investigation.

SOAR extends SIEM with automation. It uses playbooks (automated workflows) to respond to common threats without human intervention — for example, automatically isolating a compromised device, blocking a malicious IP, or creating a ticket in the incident management system.

Microsoft Sentinel is Microsoft’s cloud-native SIEM + SOAR solution built on top of Azure Log Analytics. It scales automatically, requires no infrastructure management, and integrates natively with the Microsoft security ecosystem.

The four pillars of Microsoft Sentinel

Sentinel’s capabilities map to four stages: Collect, Detect, Investigate, Respond.

1. Collect — data connectors

Sentinel ingests security data from across your environment through data connectors:

Connector typeExamples
Microsoft servicesMicrosoft 365, Entra ID, Defender XDR, Defender for Cloud, Azure Activity
Azure servicesAzure Firewall, NSG flow logs, Azure Key Vault, Azure DDoS Protection
Third-party productsPalo Alto, Cisco, AWS CloudTrail, Okta, ServiceNow
Custom sourcesCommon Event Format (CEF), Syslog, REST API

The more data connectors you enable, the broader Sentinel’s visibility. Alex connects SecureBank’s M365 tenant, Azure subscriptions, and the on-prem firewall — giving Sentinel a 360-degree view of the environment.

2. Detect — analytics rules and ML

Once data flows in, Sentinel applies analytics rules to detect threats:

  • Scheduled rules — KQL (Kusto Query Language) queries that run on a schedule, looking for specific patterns (“Alert if more than 5 failed logins from the same IP in 10 minutes”)
  • Microsoft security rules — automatically create Sentinel incidents from alerts generated by other Microsoft products (Defender for Endpoint, Defender for Cloud)
  • Machine learning (ML) rules — built-in anomaly detection that learns normal behaviour and flags deviations
  • Fusion rules — Sentinel’s advanced multi-stage attack detection engine that correlates low-priority signals from different sources into high-confidence incidents

3. Investigate — incidents and entity mapping

When analytics rules trigger, Sentinel creates incidents — grouped collections of related alerts. Investigation tools include:

  • Investigation graph — visual map showing relationships between entities (users, IPs, devices, files) involved in an incident
  • Entity pages — detailed profiles for users, hosts, and IP addresses showing all related activity
  • Bookmarks — save interesting findings during a hunting session for later investigation

4. Respond — automation with playbooks

Playbooks are automated workflows built on Azure Logic Apps that execute when triggered by a Sentinel alert or incident. Examples:

TriggerAutomated response
Suspicious sign-in detectedBlock the user account, send Teams notification to SOC
Malware alert from Defender for EndpointIsolate the device from the network, create ServiceNow ticket
New IP flagged as maliciousAdd IP to Azure Firewall block list, enrich alert with threat intelligence
💡 Scenario: Alex investigates a multi-stage attack on SecureBank

Sentinel’s Fusion engine correlates three signals that individually seem low-risk:

  1. Entra ID: Impossible travel — James’s account logs in from Auckland and then London 20 minutes later
  2. Defender for Endpoint: The London login came from a device not registered to SecureBank
  3. M365: The London session downloaded 200 customer files from SharePoint in 5 minutes

Individually, each signal has a reasonable explanation. Together, Fusion recognises a classic pattern: credential theft followed by data exfiltration.

Sentinel creates a high-severity incident. Alex opens the investigation graph and sees the full attack chain visually: compromised credentials —> unknown device —> mass file download.

A playbook automatically triggers: James’s account is disabled, the SOC receives a Teams alert, and a ServiceNow ticket is created. The entire response happens within 90 seconds of detection.

Workbooks and threat hunting

Beyond automated detection, Sentinel provides tools for proactive security:

  • Workbooks — interactive dashboards that visualise security data (for example, a dashboard showing all sign-in failures over the past 30 days by location and user)
  • Hunting queries — pre-built and custom KQL queries that security analysts run proactively to search for threats that analytics rules might have missed. This is “threat hunting” — looking for trouble before it finds you.

Sentinel and Defender XDR — how they work together

Sentinel and Defender XDR are complementary — breadth meets depth
FeatureMicrosoft Sentinel (SIEM/SOAR)Defender XDR
Data sourcesEverything — Microsoft, third-party, on-prem, customMicrosoft Defender products only (tightly integrated)
VisibilityBroad — entire environmentDeep — within the Microsoft security ecosystem
Detection approachCustom analytics rules, ML, Fusion, hunting queriesPre-built detections optimised for Microsoft signals
AutomationPlaybooks via Logic AppsBuilt-in automated investigation and response (AIR)
Best forWide visibility across all sourcesDeep cross-product correlation within Microsoft

They are complementary. Sentinel provides the broad SIEM/SOAR layer across all data sources, while Defender XDR provides deep, integrated detection and response within the Microsoft product suite. Microsoft Sentinel is now available directly in the Microsoft Defender portal (security.microsoft.com), creating a unified security operations platform where Sentinel and Defender XDR incidents appear together.

💡 Exam tip: SIEM vs XDR question patterns

The exam loves asking about the difference between Sentinel and Defender XDR:

  • If the question mentions collecting data from third-party sources or custom log sources — the answer is Sentinel (SIEM).
  • If the question mentions automatic correlation across Microsoft Defender products — the answer is Defender XDR.
  • If the question asks where both come together — the answer is the unified Microsoft Defender portal.

Remember: SIEM = broad data collection and analytics. XDR = deep product-level integration. They work together, not as replacements.

🎬 Video walkthrough

🎬 Video coming soon

Microsoft Sentinel — SIEM + SOAR Explained (SC-900)

Microsoft Sentinel — SIEM + SOAR Explained (SC-900)

~9 min

Flashcards

Question

What is SIEM?

Click or press Enter to reveal answer

Answer

Security Information and Event Management. It collects security log data from across an entire environment, correlates events from different sources, and helps analysts detect and investigate threats. Think: the security camera room that sees everything.

Click to flip back
Question

What is SOAR?

Click or press Enter to reveal answer

Answer

Security Orchestration, Automation, and Response. It automates responses to security threats using playbooks — predefined workflows that execute actions like blocking accounts, isolating devices, or creating tickets without waiting for human intervention.

Click to flip back
Question

What are the four pillars of Microsoft Sentinel?

Click or press Enter to reveal answer

Answer

1) Collect — ingest data via data connectors from Microsoft, Azure, third-party, and custom sources. 2) Detect — analytics rules (scheduled, ML, Fusion) identify threats. 3) Investigate — incidents, investigation graph, entity mapping. 4) Respond — automated playbooks built on Logic Apps.

Click to flip back
Question

What is Fusion in Microsoft Sentinel?

Click or press Enter to reveal answer

Answer

Fusion is Sentinel's advanced multi-stage attack detection engine. It correlates multiple low-priority alerts from different sources into a single high-confidence incident. For example, it can connect an impossible travel alert with a mass file download to detect credential theft and data exfiltration.

Click to flip back
Question

How do Sentinel and Defender XDR complement each other?

Click or press Enter to reveal answer

Answer

Sentinel is a broad SIEM/SOAR that ingests data from all sources (Microsoft, third-party, custom). Defender XDR provides deep, integrated detection within the Microsoft product suite. Together they provide both wide visibility and deep product-level intelligence in the unified Defender portal.

Click to flip back

Knowledge check

Knowledge Check

SecureBank's SOC team wants to automatically block a user account when Sentinel detects an impossible travel alert followed by suspicious file downloads. Which Sentinel capability should Alex configure?
Knowledge Check

Director Reyes wants to know: 'Why do we need Sentinel if we already have Defender for Cloud?' What is the key difference?
Knowledge Check

James, the SOC lead, wants to proactively search for signs of lateral movement in SecureBank's network that automated analytics rules might have missed. Which Sentinel feature should he use?

← Previous

Microsoft Defender for Cloud

Next →

Defender XDR: The Unified Threat Platform

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.