7.1 Sentinel as SIEM and SOAR

What Microsoft Sentinel Is

Microsoft Sentinel (formerly Azure Sentinel — the rebrand is commonly tested) is Microsoft's cloud-native SIEM and SOAR platform. SC-900 places it in the third skill area, Capabilities of Microsoft security solutions (roughly 25-30% of the exam), alongside Microsoft Defender for Cloud and Microsoft Defender XDR. You do not need to operate a Security Operations Center (SOC) to pass; you need to recognize when Sentinel is the right answer and how its parts fit together.

SIEM stands for Security Information and Event Management. It is the collection and analysis side of security operations: a SIEM ingests logs and security signals from across the estate, normalizes them, and analyzes them to detect threats and support investigation. SOAR stands for Security Orchestration, Automation, and Response. It is the response side: it coordinates and automates the actions a team takes after a threat is found, reducing manual, repetitive work. Sentinel delivers both in one service, which is why scenarios that pair detection with automated response point so cleanly to it.

Sentinel is cloud-native: there is no server to deploy, patch, or scale. It runs as a service on top of an Azure Monitor Log Analytics workspace, which stores the ingested data, and you pay primarily for the volume of data ingested and retained. Because it is a managed Azure service, capacity scales elastically, a contrast the exam likes to draw against legacy, appliance-based SIEMs.

Sentinel vs. Defender XDR — the Selection Trap

The single most-tested distinction in this chapter is Sentinel (SIEM) vs. Microsoft Defender XDR (XDR). XDR (Extended Detection and Response) automatically collects, correlates, and analyzes signals across a defined set of Microsoft workloads — endpoints, identities, email and collaboration, and cloud apps — and presents unified incidents with little setup. SIEM is broader and source-agnostic: Sentinel ingests from Microsoft and third-party and on-premises sources (firewalls, network gear, AWS, Google, syslog, custom apps) to give enterprise-wide visibility.

The two are complementary. Defender XDR can act as a high-fidelity data connector into Sentinel, feeding its correlated incidents upward so a SOC gets one cross-estate view and can hunt and automate on top of everything. Use these cues:

• "Microsoft 365 / Microsoft workloads only, automatic correlation" -> Defender XDR.
• "Aggregate logs from many sources, including non-Microsoft, into one SIEM" -> Microsoft Sentinel.
• "Detect and automatically respond (SOAR)" -> Microsoft Sentinel.

Keep these product lanes separate

A second trap is sending a non-security task to Sentinel. If the prompt asks for sensitivity labels, DLP, retention, eDiscovery, audit, or Compliance Manager, the answer is Microsoft Purview. If it asks for access reviews, Conditional Access, PIM, or identity risk, the answer is Microsoft Entra. Sentinel owns the SIEM/SOAR, analytics, hunting, workbooks, and playbooks language.

Keep a simple mental sequence for any Sentinel question: connect data, detect with analytics, investigate via incidents and hunting, visualize with workbooks, and respond with automation rules and playbooks. Recognizing that flow is most of what SC-900 asks for.

The End-to-End Sentinel Workflow

Almost every Sentinel exam question maps to one stage of a single end-to-end pipeline, so learning the stages in order makes scenario questions easy to place. ** Data connectors ingest logs and alerts from across the environment into the Log Analytics workspace, where they become normalized, queryable tables. ** Analytics rules run queries over that data on a schedule, and when their logic matches they raise alerts.

Microsoft's built-in machine learning, including the Fusion engine, correlates weak or unrelated signals into high-confidence incidents, while User and Entity Behavior Analytics baselines normal behavior to surface anomalies and threat intelligence enriches detections with known indicators of compromise.

Stage three is investigation. Sentinel groups related alerts into incidents that a security analyst owns, prioritizes, and works, supported by an investigation graph and by proactive hunting across the same data. Stage four is visualization. Workbooks turn the data and incidents into interactive dashboards for monitoring and reporting. Stage five is response. Automation rules orchestrate triage, and playbooks built on Logic Apps run the actual remediation steps, such as disabling a compromised account or isolating a device.

The terms map cleanly to SIEM and SOAR. The SIEM role covers stages one through four — collect, detect, investigate, and visualize. The SOAR role covers stage five — orchestrate and automate response. When a question pairs broad, multi-source detection with automated, repeatable response, only one Microsoft product spans both halves end to end, and that is Microsoft Sentinel.

Finally, remember the positioning facts SC-900 favors. Sentinel is a paid Azure service billed mainly by data volume, has no hardware to manage, is the single pane of glass that unifies signals a SOC would otherwise chase across many consoles, and is the natural place to aggregate the high-fidelity incidents Microsoft Defender XDR produces. Holding the pipeline and these facts in mind lets you answer feature, selection, and definition questions confidently.