11.4 Sentinel Playbook for SIEM, SOAR, and Hunting

Choose Sentinel for Cross-Source Security Operations

Microsoft Sentinel is the SC-900 product for security information and event management and security orchestration, automation, and response. In exam language, that means collecting data through connectors, using analytics rules to detect threats, creating incidents, investigating with hunting, visualizing with workbooks, and automating response with automation rules and Logic Apps playbooks. If the prompt sounds like a security operations center workflow, Sentinel should be high on your list.

A common trap is choosing a Defender product just because the scenario includes a threat. Defender products protect and detect within specific workloads. Sentinel is chosen when the scenario asks to bring data together, correlate signals, investigate incidents across sources, or automate response steps. Defender may produce useful alerts, but Sentinel is the SIEM and SOAR layer in the SC-900 objectives.

Do Not Treat Sentinel as Every Security Answer

• Use Sentinel when the action is centralize, correlate, investigate, hunt, visualize, or automate.
• Use Defender for Cloud when the action is assess cloud posture or protect cloud workloads.
• Use Defender for Endpoint when the action is protect or investigate endpoint devices.
• Use Microsoft Purview when the action is classify, retain, audit, or investigate data for compliance.

SC-900 does not expect advanced query writing, but it may expect awareness that Kusto Query Language is associated with hunting and analysis in Microsoft security tooling. A question might mention hunting queries or notebooks to suggest threat investigation rather than identity governance or compliance management. That points to Sentinel when the scenario is about SIEM-driven investigation.

Sentinel also appears in Zero Trust and defense-in-depth scenarios. For example, an organization may have identity controls, network controls, and workload protection, then still need a central place to detect and respond to threats. Sentinel fits that layered model because it can collect and analyze signals from multiple sources. It does not replace the controls that prevent or protect; it helps detect, investigate, and respond.

When answer choices include both Sentinel and Microsoft Defender XDR, focus on the wording. If the question asks for the Microsoft security portal experience that correlates Defender signals, Defender XDR may be the better match. If it asks for SIEM, SOAR, connectors, workbooks, hunting, or playbooks, Sentinel is the clearer answer. This distinction is one of the most useful final-week product-selection drills.