Microsoft Certified: Security Compliance and Identity Fundamentals SC-900 Updated Exam

In Microsoft Sentinel, automation of routine or repetitive SOC tasks is delivered through playbooks. Microsoft’s Sentinel guidance defines playbooks as “collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident.” They are “built on Azure Logic Apps” and enable teams to “automate and orchestrate responses to threats” such as enriching incidents, opening tickets, notifying responders, quarantining entities, or blocking indicators. The documentation further clarifies that automation rules can “trigger playbooks automatically based on analytics alerts or incident conditions,” allowing consistent, scalable actions without manual intervention. By contrast, workbooks provide “data visualization and reporting” for analysis; hunting search-and-query tools (built on KQL) are used to “proactively hunt for threats”; and deep investigation tools assist analysts during incident investigation. Therefore, when the goal is to automate common tasks—for example, sending incident notifications, enriching with threat intelligence, or creating tickets in ITSM—the correct capability in Microsoft Sentinel is playbooks, because they encapsulate repeatable response procedures and can be executed automatically via automation rules or manually from incidents, alerts, or entities.

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management: Provide just-in-time privileged access to Azure AD and Azure resources Assign time-bound access to resources using start and end dates Require approval to activate privileged roles Enforce multi-factor authentication to activate any role Use justification to understand why users activate Get notifications when privileged roles are activated Conduct access reviews to ensure users still need roles Download audit history for internal or external audit Prevents removal of the last active Global Administrator role assignment

Microsoft Purview Data Loss Prevention (DLP) is designed to “detect and protect sensitive items” across Microsoft 365 locations, endpoints, and cloud apps. Microsoft explains that Purview DLP policies use sensitive information types, exact data match (EDM), and machine learning–based trainable classifiers to identify content, and then automatically apply protective actions such as blocking or restricting sharing, notifying users with policy tips, auditing, or auto-quarantining/justifying activities. This fulfills the description “use machine learning algorithms to detect and automatically protect sensitive items.” While eDiscovery focuses on legal hold and content discovery, and Communication compliance monitors communications for policy violations (ethics/regulatory scenarios), they are not positioned to broadly and automatically protect sensitive data across services. “Information risks” is not a distinct Purview solution category. Therefore, the Purview capability that leverages machine learning classifiers and automatically enforces protections on sensitive data is Data loss prevention (DLP).