SC-200 Cheat Sheet 2026

The 30 highest-yield SC-200 facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

50 questions
100 min time limit
70.00% to pass
  1. What is the primary purpose of Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint? To block behaviors commonly used by malware before malicious activity occurs
  2. Which Microsoft Sentinel built-in feature allows SOC teams to map their detection coverage to the MITRE ATT&CK framework? MITRE ATT&CK coverage blade in Sentinel
  3. Which Microsoft Sentinel feature allows SOC teams to codify repeatable response steps for compliance-related incidents such as data breach investigations? Automation rules with playbooks
  4. An organization must comply with ISO 27001. Which control domain specifically addresses the management of information security incidents? A.16 - Information Security Incident Management
  5. A security team wants to ensure that every incident in Microsoft Sentinel has a documented resolution before closure. Which governance mechanism enforces this? Incident task lists and closure classification requirements
  6. When configuring Always Encrypted in Azure SQL Database, where must the Column Encryption Key (CEK) be stored to maintain security? In Azure Key Vault or a local certificate store, never in the database
  7. What is the role of documentation in Network Security Fundamentals for Microsoft Security Operations Analyst? It provides an accurate record for accountability and reference
  8. An analyst needs to remediate a compromised account in Microsoft Entra ID Protection. Which combination of actions fully remediates the risk? Reset password, revoke all sessions, and confirm user is compromised
  9. An organization needs to implement a data residency policy ensuring that logs from EU users are stored only in EU Azure regions. Which feature supports this? Separate Log Analytics workspaces per region with Sentinel instances
  10. In Microsoft Sentinel, which SOAR capability allows you to manually trigger a playbook from within an incident without waiting for an automation rule? Manual playbook run from incident actions menu
  11. Which Azure service allows you to enforce minimum TLS version and cipher suite policies across your organization's resources? Azure Policy
  12. How does collaboration enhance Cryptography & Encryption in Microsoft Security Operations Analyst? It brings diverse perspectives and improves outcomes
  13. Which Azure Sentinel (Microsoft Sentinel) feature automatically maps detected threats to the MITRE ATT&CK framework? Analytics rule templates
  14. What is the purpose of the 'Entity behavior analytics' (UEBA) feature in Microsoft Sentinel? To establish baselines and detect anomalous behavior per user and entity
  15. Which KQL function is used to detect anomalies in a time series within Microsoft Sentinel, returning a spike or drop indicator? series_decompose_anomalies()
  16. A Microsoft Defender for Cloud alert indicates 'Unusual number of resources deleted.' Under which alert category does this fall? Impact
  17. Which log source in Microsoft Sentinel contains details about Azure resource authorization failures, including RBAC denials? AzureActivity
  18. A SOC team wants to enrich Microsoft Sentinel alerts with threat intelligence IP indicators. Which built-in feature should they use? Threat Intelligence data connector + TI analytics rules
  19. Which Microsoft Sentinel feature provides a code-based interface using Python for advanced data analysis, ML model training, and custom visualizations? Notebooks
  20. What is the role of a code of conduct in Microsoft Security Operations Analyst practice? It establishes expected behavioral and professional standards
  21. Which approach best supports quality outcomes in Threat Intelligence & Analysis for Microsoft Security Operations Analyst? Systematic application of evidence-based methods
  22. A Golden Ticket attack is detected in the environment. Which two immediate remediation actions are MOST critical? Reset the KRBTGT account password twice and reboot all domain controllers
  23. Which advanced hunting KQL query technique allows a Defender XDR analyst to parameterize a query and reuse it across multiple investigations? Saved functions in the Sentinel function library
  24. What is the role of documentation in Cloud Security Architecture for Microsoft Security Operations Analyst? It provides an accurate record for accountability and reference
  25. An analyst sees a spike in outbound traffic to multiple IP addresses on port 6667. Which threat does this most likely represent? IRC-based botnet command and control
  26. Which of the following is a key component of regulatory compliance? Maintaining audit logs
  27. What is the importance of staying current with trends in Threat Intelligence & Analysis for Microsoft Security Operations Analyst? It ensures practices remain effective and relevant
  28. Which technique does an adversary use when they compress and encrypt data before sending it outbound to avoid data loss prevention (DLP) detection? Exfiltration over command-and-control channel with encoding
  29. Which protocol is most commonly abused for lateral movement because it allows remote command execution and is often permitted inside corporate networks? SMB/WMI
  30. In Microsoft Defender for Cloud, what does the 'Secure Score' metric represent? Percentage of security recommendations implemented out of total applicable controls
Turn these facts into recall: