Module 10: Create Detections and Perform Investigations Using Microsoft Sentinel
Modules 7 and 8 built the workspace and filled it with data. This module builds the detection and investigation layer — the analytics rules, automation, and investigation workflows that turn raw log data into security incidents that analysts can triage, investigate, and resolve.
Without analytics rules, Sentinel is a data lake — queryable but silent. Analytics rules are the automated detection engine that continuously evaluates the data, identifies threat patterns, generates alerts, groups alerts into incidents, and presents them to the SOC team for investigation. Without automation rules and playbooks, every incident requires manual triage and response — consuming analyst time that should be spent on investigation. Without workbooks, the SOC has no operational dashboard showing detection coverage, incident metrics, and team performance.
The SC-200 exam allocates two domains to this module’s content: “Configure Protections and Detections” (15-20%) covers analytics rule creation, and “Manage Incident Response” (25-30%) covers incident management, automation, and investigation. Together, these domains represent 40-50% of the exam — making this the most exam-relevant module alongside Module 7.
Complete Modules 7 (Sentinel workspace configuration) and 8 (data connectors) before starting this module. You need a workspace with active data connectors delivering data to the tables your analytics rules will query. Module 6 (KQL) is essential — every analytics rule is a KQL query. The investigation techniques from Modules 1-5 (cross-product correlation, entity investigation) are applied here in the context of Sentinel incident management.
What you will be able to do after completing this module
After completing this module, you will be able to create scheduled analytics rules with KQL queries that detect specific threat patterns. You will configure near-real-time (NRT) rules for high-priority detections that cannot wait for scheduled evaluation. You will set up entity mapping so that alerts include structured entities (users, IPs, devices) for correlation and investigation. You will manage incidents through the complete lifecycle from triage to closure. You will build automation rules that handle routine incident management tasks. You will create Logic Apps playbooks for multi-step automated response. You will enable UEBA for behavioural anomaly detection. You will build workbooks for SOC operational reporting. You will deploy ASIM parsers for cross-vendor data normalisation. And you will establish the detection engineering lifecycle that continuously improves your detection coverage.
How this module is structured
9.1 — Analytics Rules: Architecture and Rule Types. The four rule types (scheduled, NRT, Microsoft Security, anomaly), how they evaluate data, and when to use each.
9.2 — Creating Scheduled Analytics Rules. Step-by-step rule creation: KQL query, schedule, lookback, threshold, alert grouping, and MITRE ATT&CK mapping.
9.3 — Near-Real-Time (NRT) and Microsoft Security Rules. NRT rules for sub-minute detection. Microsoft Security rules for pass-through alerts from Defender products. Anomaly rules for ML-based detection.
9.4 — Entity Mapping and Alert Enrichment. Mapping entities (Account, IP, Host, URL, File) from KQL output to structured alert entities. Custom details for additional context. Alert enrichment patterns.
9.5 — Incident Management and Investigation Workflow. The incident lifecycle: creation, triage, assignment, investigation, classification, and closure. Evidence and entity graphs. Investigation bookmarks.
9.6 — Automation Rules. No-code automation for incident management: assignment, severity changes, tagging, suppression, and playbook triggering.
9.7 — Playbooks with Logic Apps. Full workflow automation: password reset, device isolation, ticket creation, notification chains, and multi-step response orchestration.
9.8 — User and Entity Behavior Analytics (UEBA). Behavioural baselines, anomaly scoring, investigation priority scoring, and UEBA-enhanced investigation.
9.9 — Workbooks and Security Reporting. Building SOC dashboards: incident metrics, detection coverage, analyst performance, and executive reporting.
9.10 — ASIM Parsers and Data Normalisation. The normalisation model, deploying parsers, writing cross-vendor analytics rules, and the ASIM schema reference.
9.11 — Detection Engineering Lifecycle. The continuous improvement cycle: threat modelling → rule development → testing → deployment → tuning → retirement. MITRE ATT&CK coverage analysis and gap-driven rule creation.
9.12 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.
9.13 — Check My Knowledge. 20 scenario-based questions covering all subsections.