SC-200 Cheat Sheet 2026
The 30 highest-yield SC-200 facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
100 min time limit
70.00% to pass
- What is the primary purpose of Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint? → To block behaviors commonly used by malware before malicious activity occurs
- Which Microsoft Sentinel built-in feature allows SOC teams to map their detection coverage to the MITRE ATT&CK framework? → MITRE ATT&CK coverage blade in Sentinel
- Which Microsoft Sentinel feature allows SOC teams to codify repeatable response steps for compliance-related incidents such as data breach investigations? → Automation rules with playbooks
- An organization must comply with ISO 27001. Which control domain specifically addresses the management of information security incidents? → A.16 - Information Security Incident Management
- A security team wants to ensure that every incident in Microsoft Sentinel has a documented resolution before closure. Which governance mechanism enforces this? → Incident task lists and closure classification requirements
- When configuring Always Encrypted in Azure SQL Database, where must the Column Encryption Key (CEK) be stored to maintain security? → In Azure Key Vault or a local certificate store, never in the database
- What is the role of documentation in Network Security Fundamentals for Microsoft Security Operations Analyst? → It provides an accurate record for accountability and reference
- An analyst needs to remediate a compromised account in Microsoft Entra ID Protection. Which combination of actions fully remediates the risk? → Reset password, revoke all sessions, and confirm user is compromised
- An organization needs to implement a data residency policy ensuring that logs from EU users are stored only in EU Azure regions. Which feature supports this? → Separate Log Analytics workspaces per region with Sentinel instances
- In Microsoft Sentinel, which SOAR capability allows you to manually trigger a playbook from within an incident without waiting for an automation rule? → Manual playbook run from incident actions menu
- Which Azure service allows you to enforce minimum TLS version and cipher suite policies across your organization's resources? → Azure Policy
- How does collaboration enhance Cryptography & Encryption in Microsoft Security Operations Analyst? → It brings diverse perspectives and improves outcomes
- Which Azure Sentinel (Microsoft Sentinel) feature automatically maps detected threats to the MITRE ATT&CK framework? → Analytics rule templates
- What is the purpose of the 'Entity behavior analytics' (UEBA) feature in Microsoft Sentinel? → To establish baselines and detect anomalous behavior per user and entity
- Which KQL function is used to detect anomalies in a time series within Microsoft Sentinel, returning a spike or drop indicator? → series_decompose_anomalies()
- A Microsoft Defender for Cloud alert indicates 'Unusual number of resources deleted.' Under which alert category does this fall? → Impact
- Which log source in Microsoft Sentinel contains details about Azure resource authorization failures, including RBAC denials? → AzureActivity
- A SOC team wants to enrich Microsoft Sentinel alerts with threat intelligence IP indicators. Which built-in feature should they use? → Threat Intelligence data connector + TI analytics rules
- Which Microsoft Sentinel feature provides a code-based interface using Python for advanced data analysis, ML model training, and custom visualizations? → Notebooks
- What is the role of a code of conduct in Microsoft Security Operations Analyst practice? → It establishes expected behavioral and professional standards
- Which approach best supports quality outcomes in Threat Intelligence & Analysis for Microsoft Security Operations Analyst? → Systematic application of evidence-based methods
- A Golden Ticket attack is detected in the environment. Which two immediate remediation actions are MOST critical? → Reset the KRBTGT account password twice and reboot all domain controllers
- Which advanced hunting KQL query technique allows a Defender XDR analyst to parameterize a query and reuse it across multiple investigations? → Saved functions in the Sentinel function library
- What is the role of documentation in Cloud Security Architecture for Microsoft Security Operations Analyst? → It provides an accurate record for accountability and reference
- An analyst sees a spike in outbound traffic to multiple IP addresses on port 6667. Which threat does this most likely represent? → IRC-based botnet command and control
- Which of the following is a key component of regulatory compliance? → Maintaining audit logs
- What is the importance of staying current with trends in Threat Intelligence & Analysis for Microsoft Security Operations Analyst? → It ensures practices remain effective and relevant
- Which technique does an adversary use when they compress and encrypt data before sending it outbound to avoid data loss prevention (DLP) detection? → Exfiltration over command-and-control channel with encoding
- Which protocol is most commonly abused for lateral movement because it allows remote command execution and is often permitted inside corporate networks? → SMB/WMI
- In Microsoft Defender for Cloud, what does the 'Secure Score' metric represent? → Percentage of security recommendations implemented out of total applicable controls
Turn these facts into recall: