topic From SC-100 Exam Scenario to Real Build — Sentinel + Workato Incident Response in Workato Academy Discussion https://systematic.workato.com/t5/workato-academy-discussion/from-sc-100-exam-scenario-to-real-build-sentinel-workato/m-p/11972#M750 <P>Hello!</P><P>Been experimenting with bridging Microsoft Sentinel and Workato for automated incident response and wanted to share what we built might be useful for anyone thinking about SIEM/SOAR architecture in a mixed-tool environment.</P><P>Since there's no direct Sentinel-to-Workato connector, what worked for us was setting up a Sentinel Playbook (Logic App) as the trigger, which then fires a webhook into a Workato recipe. From there Workato handles the cross-system heavy lifting in our case creating a ServiceNow ticket, notifying the security team on Teams, and logging enriched details to a SharePoint list.</P><P>Honestly the hardest part was deciding what data to pass in the webhook payload you don't want to forward the full raw alert since it can contain sensitive user/device info. We ended up stripping it down to just the fields Workato actually needed to act on.</P><P>For anyone weighing up Sentinel Playbooks vs Workato, Playbooks make more sense if you're staying entirely within the Microsoft stack. But the moment you need to touch non-Microsoft systems, Workato wins easily on simplicity.</P><P>And, this whole idea actually came up while I was getting ready for the Microsoft Cybersecurity Architect Expert certification and working through SC-100 exam questions and answers on CertBoosters website and one of the SIEM/SOAR scenarios just clicked. Went from reading about it in an exam context to actually building it out, which was a great way to reinforce the concepts!</P><P>Happy to share more about the recipe structure if anyone's interested!</P> Thu, 26 Feb 2026 09:01:40 GMT adrewnixon 2026-02-26T09:01:40Z From SC-100 Exam Scenario to Real Build — Sentinel + Workato Incident Response https://systematic.workato.com/t5/workato-academy-discussion/from-sc-100-exam-scenario-to-real-build-sentinel-workato/m-p/11972#M750 <P>Hello!</P><P>Been experimenting with bridging Microsoft Sentinel and Workato for automated incident response and wanted to share what we built might be useful for anyone thinking about SIEM/SOAR architecture in a mixed-tool environment.</P><P>Since there's no direct Sentinel-to-Workato connector, what worked for us was setting up a Sentinel Playbook (Logic App) as the trigger, which then fires a webhook into a Workato recipe. From there Workato handles the cross-system heavy lifting in our case creating a ServiceNow ticket, notifying the security team on Teams, and logging enriched details to a SharePoint list.</P><P>Honestly the hardest part was deciding what data to pass in the webhook payload you don't want to forward the full raw alert since it can contain sensitive user/device info. We ended up stripping it down to just the fields Workato actually needed to act on.</P><P>For anyone weighing up Sentinel Playbooks vs Workato, Playbooks make more sense if you're staying entirely within the Microsoft stack. But the moment you need to touch non-Microsoft systems, Workato wins easily on simplicity.</P><P>And, this whole idea actually came up while I was getting ready for the Microsoft Cybersecurity Architect Expert certification and working through SC-100 exam questions and answers on CertBoosters website and one of the SIEM/SOAR scenarios just clicked. Went from reading about it in an exam context to actually building it out, which was a great way to reinforce the concepts!</P><P>Happy to share more about the recipe structure if anyone's interested!</P> Thu, 26 Feb 2026 09:01:40 GMT https://systematic.workato.com/t5/workato-academy-discussion/from-sc-100-exam-scenario-to-real-build-sentinel-workato/m-p/11972#M750 adrewnixon 2026-02-26T09:01:40Z