7.1 Sentinel as SIEM and SOAR
Key Takeaways
- Microsoft Sentinel is the SC-900 Microsoft security solution associated with SIEM and SOAR.
- SIEM is about collecting and analyzing security signals so security teams can detect threats.
- SOAR is about coordinating response actions and automation after security events are identified.
- Sentinel belongs in the security solutions domain, not the compliance or identity governance domains.
Why Sentinel Matters for SC-900
Microsoft Sentinel is the Microsoft security solution that SC-900 associates with Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). The source brief places Sentinel inside the Microsoft security solutions domain, which carries the largest exam weight range at 35-40%. That does not mean every question is a Sentinel question, but it does mean you should be comfortable recognizing where Sentinel fits.
At the fundamentals level, treat SIEM as the analysis side of security operations. A SIEM brings security-relevant data together so alerts, patterns, and suspicious behavior can be investigated. Treat SOAR as the response coordination side. SOAR capabilities help teams use rules, workflow, and automation to respond consistently when an incident needs action.
| Concept | Exam-level meaning | Product match |
|---|---|---|
| SIEM | Centralize and analyze security signals for detection and investigation | Microsoft Sentinel |
| SOAR | Coordinate response actions and automation | Microsoft Sentinel |
| Identity governance | Review and control access over time | Microsoft Entra ID Governance |
| Compliance management | Track regulatory and data governance work | Microsoft Purview |
A common trap is to confuse Sentinel with the Defender family. Defender products are usually workload or threat protection products: Defender for Endpoint protects endpoint devices, Defender for Office 365 protects email and collaboration workloads, Defender for Identity protects on-premises Active Directory, and Defender for Cloud Apps is CASB and SaaS app discovery and control. Sentinel is different because its exam role is SIEM, SOAR, analytics, hunting, workbooks, and playbooks.
Another trap is to send a compliance scenario to Sentinel. If the prompt asks for sensitivity labels, data loss prevention, retention, eDiscovery, audit, Compliance Manager, or compliance score, the better match is Microsoft Purview. Sentinel may help with threat detection and mitigation, but it is not the study guide chapter for compliance controls.
Use this mental sequence when answering Sentinel questions:
-
Security data is connected to Sentinel.
-
Analytics and hunting help detect suspicious activity.
-
Incidents give the operations team something to investigate and manage.
-
Workbooks help visualize and review security information.
-
Automation rules and playbooks help coordinate response.
For SC-900, you do not need to design a production security operations center. You need to choose the right product when the scenario says SIEM, SOAR, centralized security analysis, threat detection, incident investigation, hunting, or automated response.
Exam Boundary Reminder
Sentinel questions usually reward recognizing the security operations boundary before choosing a product. Keep the answer tied to connected security data, centralized analysis, detection, investigation, visualization, or response. When the prompt shifts to labels, access reviews, endpoint devices, or SaaS app control, it has moved to another Microsoft product area.
-
Identify the operation first.
-
Match SIEM and SOAR language to Sentinel.
-
Avoid adding implementation assumptions the prompt does not provide.
Which Microsoft security solution should you choose for an SC-900 scenario that asks for SIEM and SOAR capabilities?
At the SC-900 level, what is the best description of SIEM?
Which scenario is least likely to point to Microsoft Sentinel?