SC-200 Security Operations: Threat Detection and Response with Microsoft Sentinel

Sentinel is the central platform for SC-200. Data connectors ingest signals into Sentinel Log Analytics workspaces. Microsoft connectors (native, free ingestion for most): Microsoft 365 Defender, Entra ID, Azure Activity, Defender for Cloud, Microsoft Defender products. Third-party connectors use CEF (Common Event Format) over Syslog or API polling. Analytics rules create incidents from data: Scheduled analytics rules (KQL query on a defined frequency — generates alert when results exceed threshold), Near-real-time rules (NRT — 1-minute frequency, built-in KQL templates), Microsoft Security rules (promote alerts from Defender products directly into Sentinel). Alert grouping: configure rules to group multiple alerts into a single incident by entity (IP, user, host) over a time window — reduces incident noise. Entity mapping: analytics rules map fields in query results to entity types (Account, Host, IP, URL, File) — enables entity pages and UEBA correlation.

KQL is the query language for all Azure Monitor-based services including Sentinel. Fundamental syntax: TableName | operator1 | operator2 — pipe operators process data left to right. Key operators: where (filter rows — use == for exact match, contains for substring, has for whole-word match — has is faster than contains for log data), project (select columns), extend (add computed columns), summarize (aggregate — count(), countif(), dcount(), sum(), avg(), make_list()), join (combine tables — join kinds: inner, left outer, right outer, fullouter), parse (extract structured data from unstructured strings — parse msg with 'prefix' Fieldname: Value 'suffix' to FieldName), render (visualise — barchart, timechart, piechart). Time filters: where TimeGenerated >= ago(24h), bin() for time-bucketing (bin(TimeGenerated, 1h) groups events into hourly buckets). Common security KQL patterns: failed logins (SecurityEvent | where EventID == 4625), privilege escalation (SecurityEvent | where EventID == 4672), process creation (SecurityEvent | where EventID == 4688 | where NewProcessName contains 'powershell').

Defender XDR correlates signals across Defender products into unified incidents. Defender for Endpoint (MDE): endpoint protection with EDR — advanced threat hunting with device timeline (every process, network connection, file operation on the device in chronological order), alert investigation graph (shows attack chain visually), automated investigation and remediation (AIR — isolates device, kills malicious processes, removes threats automatically). Alerts vs incidents: alerts are individual detections, incidents group correlated alerts into a single investigation unit. Defender for Identity (MDI): monitors on-premises AD — detects lateral movement (pass-the-hash, pass-the-ticket), privilege escalation, reconnaissance (user and group enumeration), and compromised credentials (password spray, brute force). MDI uses AD sensor agents installed on DCs. Defender for Office 365 (MDO): Plan 1 (anti-phishing, anti-malware, safe attachments, safe links), Plan 2 adds attack simulation training, threat explorer, and automated investigation. Threat Explorer: query email metadata in real time — find phishing emails by sender, URL, or payload hash.

Threat hunting is the proactive search for adversaries that bypassed automated detection. Hunting hypothesis: starts with a threat intelligence tip, ATT&CK TTP, or anomaly observation — forms a hypothesis ('Did any host communicate with this C2 IP over the past 30 days?'). Sentinel hunting queries: pre-built and custom KQL queries across all ingested data — save queries, track results, promote successful hunts to bookmarks and then to analytics rules. Live response in MDE: interactive shell on a managed endpoint — run commands, collect files, memory dumps for forensic investigation without physically accessing the device. Advanced Hunting in Defender XDR: query 30 days of raw telemetry across all Defender products using KQL — tables include DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, AlertInfo. MITRE ATT&CK integration: Sentinel threat hunting and Defender XDR alerts map to ATT&CK tactics and techniques — prioritise hunts based on your threat model and the ATT&CK techniques most relevant to your industry.

SC-200 covers Sentinel automation for SOC efficiency. Automation rules: lightweight automation triggered on incident creation or update — change incident status, assign owner, add tags, run a playbook. Playbooks: Logic Apps workflows triggered by Sentinel — Standard playbooks (run in parallel, no output to Sentinel), Stateful playbooks (maintain state, output actions — can update incident). Common playbook use cases: enrich incident with threat intelligence (query VirusTotal or WHOIS for IPs in the incident), notify SOC team via Teams or email, block IP in firewall (Azure Firewall or NSG), disable compromised user account (Entra ID), isolate compromised device (MDE). Defender XDR auto-remediation: Defender for Endpoint automated investigation responds to endpoint alerts automatically — isolates device, removes malicious files, kills processes — all auditable in the action center. Custom detection rules in MDE: schedule KQL queries over DeviceEvents tables, trigger alerts or response actions on matches — closes the gap between hunting and detection.