Watchlists — reference data for IP allowlists, VIP users, asset inventories
Data retention — default 90 days in LA; archive tier for long-term
Rule Type
Trigger
Use Case
Scheduled
KQL query on timer (e.g., every 5 min)
Batch correlation, threshold alerts
NRT (Near Real-Time)
Streaming query
Immediate detection — brute force, malware
Microsoft built-in
Pre-configured by Microsoft
Common TTPs, threat intelligence matches
SOAR Automation
Automation rules — trigger playbooks on incident creation/update
Playbooks — Logic Apps with Sentinel connector actions
Common actions — isolate device, disable user, block IP, enrich with TI
Approval gates — human-in-the-loop for destructive actions
Exam Focus Areas
AMA (Azure Monitor Agent) replaces legacy Log Analytics agent for new deployments
Analytics rules create alerts; incidents group related alerts
Data connector health must be monitored — silent ingestion failures hide threats
Practice This Domain
Test your understanding with free practice questions at /certifications/microsoft/sc-200/practice — focus on: Microsoft Sentinel workspace configuration, Data connectors and log ingestion, Analytics rules and alerts.
Read SC-200 notes without distractions
Open Foci to run a focused study block while you review domains, tables, and exam tips.