PracticeVideosBlogFlashcardsEspañol

Free exam prep

Microsoft Certified: Security Operations Analyst Associate (SC-200)

Practice QuestionsStudy GuideCheat SheetFlashcards

5.1 Sentinel Incident Management

Key Takeaways

  • A Microsoft Sentinel incident is a container of one or more related alerts; analytics rules group alerts into incidents using alert grouping and entity mapping
  • Incident severity is Informational, Low, Medium, or High; status moves through New, Active, and Closed, and closing requires a classification such as True Positive or Benign Positive
  • Entity mapping configured on an analytics rule populates the incident's investigation graph; without mapped entities the graph cannot pivot on accounts, hosts, or IPs
  • Bookmarks preserve hunting query results as evidence and can be promoted into a new or existing incident for formal investigation
  • Incident tasks create a repeatable triage checklist that travels with the incident so any analyst can complete consistent response steps
Last updated: May 2026

Why Incident Management Matters for SC-200

The Respond to security incidents domain is 35-40% of the SC-200 exam, and Microsoft Sentinel incident management is its operational core. The exam tests whether you can take a noisy stream of alerts, group it into meaningful incidents, triage by risk, drive an investigation to a defensible conclusion, and close the case with the correct classification. You will see scenario questions that hand you an incident state and ask for the next correct action.

Microsoft Sentinel is Microsoft's cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platform. An incident in Sentinel is a case container that aggregates one or more related alerts. Analysts work incidents, not raw alerts, because a single attack usually fires many alerts.

The Incident Lifecycle

Every Sentinel incident moves through a defined lifecycle. Knowing the order — and which field changes at each stage — is heavily tested.

StageStatusTypical Analyst Action
CreationNewAnalytics rule or Defender XDR connector creates the incident from alerts
TriageNew → ActiveAssess severity, assign an owner, set status to Active
InvestigationActivePivot on entities, run the investigation graph, add bookmarks and comments
Containment / RemediationActiveTrigger playbooks, isolate devices, disable accounts
ClosureClosedSet a classification and reason; document findings
flowchart LR
  A[Alerts fired] --> B[Analytics rule groups alerts]
  B --> C[Incident created: New]
  C --> D[Triage: assign severity + owner]
  D --> E[Active: investigate]
  E --> F{Real threat?}
  F -->|Yes| G[Remediate via playbook]
  F -->|No| H[Close: Benign/False Positive]
  G --> I[Close: True Positive]

Triage: Severity, Owner, and Status

Three fields drive triage and each can be set manually or by automation.

  • SeverityInformational, Low, Medium, or High. Severity is inherited from the analytics rule but can be overridden on the incident, and automation rules can change it dynamically based on entity properties.
  • Owner — the analyst or group responsible. Assigning an owner is the formal start of ownership; an unassigned high-severity incident is a triage failure scenario the exam likes to test.
  • StatusNew, Active, or Closed. Moving to Active signals work in progress. Closing an incident requires a classification.

Closing Classifications

ClassificationMeaningExample
True PositiveConfirmed malicious activityVerified credential theft and data exfiltration
Benign PositiveReal activity, but expected/authorizedPenetration test or sanctioned admin script
False PositiveDetection logic misfiredRule matched a legitimate business process
UndeterminedNot enough evidence to classifyLogs purged before investigation completed

Closing as Benign Positive or False Positive lets you record a reason that feeds tuning and automation rule suppression so the same noise does not reopen later.

Entity Mapping and the Investigation Graph

Entity mapping is configured on the analytics rule, not on the incident. It tells Sentinel which columns in the query results represent strongly typed entities such as Account, Host, IP, URL, File, or Process. This mapping is what makes investigation possible.

  • Mapped entities appear in the Entities tab of the incident.
  • They populate the investigation graph, an interactive map that lets you expand an entity to see related alerts, other incidents, and the timeline of activity around it.
  • Entities also enable entity pages and let automation rules and playbooks act on real objects (for example, disable a specific account).

Exam trap: if the investigation graph is empty or an entity is missing, the fix is almost always to edit the analytics rule's entity mapping, not the incident. Entity mapping cannot be retrofitted onto already-created incidents.

The investigation graph supports up to a configurable number of mapped entities per rule (Microsoft has historically capped this; map the highest-value entities like Account, Host, and IP first when you must choose).

Bookmarks: Turning Hunting Into Evidence

When you run a hunting query in Sentinel and find something suspicious, a raw query result is not yet part of any case. A bookmark preserves a specific query result — the query, the time range, and the selected rows — so it becomes durable evidence.

  • Bookmarks can have mapped entities and tags.
  • A bookmark can be added to a new incident or attached to an existing incident.
  • Bookmarked entities appear in the investigation graph, linking hunting findings to the formal case.
flowchart LR
  A[Hunting query] --> B[Suspicious rows found]
  B --> C[Create bookmark + map entities]
  C --> D{Existing incident?}
  D -->|Yes| E[Attach bookmark to incident]
  D -->|No| F[Create new incident from bookmark]

Incident Tasks

Incident tasks are a checklist embedded in the incident. They standardize how every analyst handles a case so triage quality does not depend on who picked it up.

  • Tasks can be added manually by an analyst or automatically by an automation rule or playbook when the incident is created.
  • Each task has a title, optional description, and a completion state.
  • Tasks travel with the incident, so a SOC lead can audit whether required steps (verify entity, check threat intelligence, contact owner, document outcome) were completed before closure.

A common SC-200 scenario: a SOC wants every phishing incident to follow the same verification steps regardless of analyst. The correct answer is an automation rule that adds incident tasks on incident creation — not training, not a runbook outside the platform.

Test Your Knowledge

An analyst opens a high-severity Microsoft Sentinel incident but the investigation graph shows no accounts, hosts, or IP addresses to pivot on. What is the correct way to fix this going forward?

A
B
C
D
Test Your Knowledge

A SOC team wants every phishing incident in Microsoft Sentinel to follow the same triage checklist regardless of which analyst picks it up. Which capability enforces this?

A
B
C
D
Test Your KnowledgeOrdering

Order the Microsoft Sentinel incident lifecycle stages from first to last.

Arrange the items in the correct order

1
Investigate using the entity-driven investigation graph and bookmarks
2
Analytics rule groups related alerts and creates the incident (New)
3
Triage: assess severity and assign an owner, set status to Active
4
Close the incident with a classification and reason
5
Remediate via playbook or manual containment
Test Your KnowledgeMatching

Match each Microsoft Sentinel closing classification to its correct meaning.

Match each item on the left with the correct item on the right

1
True Positive
2
Benign Positive
3
False Positive
4
Undetermined
Up Next

5.2 Investigation, UEBA & Threat Intelligence

Continue learning