Why This Cheat Sheet Matters for AZ-500
This cheat sheet covers the most important Sentinel & Defender concepts tested on the AZ-500 (Azure Security Engineer Associate) certification exam. It contains 2 sections with 8 key points that you should memorize before exam day. Manage security operations with Microsoft Sentinel, security alerts, incident response, and threat hunting. Use this as a quick-reference guide during your final review sessions.
Microsoft Sentinel
- Data connectors: ingest logs from Azure, M365, third-party, and custom sources.
- Analytic rules: scheduled KQL queries that create alerts/incidents.
- Playbooks: Logic Apps triggered by incidents for automated response (SOAR).
- Workbooks: interactive dashboards for security data visualization.
Defender for Cloud
- CSPM: continuous assessment and secure score recommendations.
- CWPP: workload protection for VMs, SQL, Storage, Containers, App Service.
- Regulatory compliance: track progress against CIS, NIST, PCI-DSS benchmarks.
- Just-in-time access: reduce attack surface by closing management ports.
Practice Security Operations Questions
Put your knowledge to the test with practice questions.
Azure Quick Reference Tips
Azure services follow consistent naming patterns that help with exam recall. Resource Manager (ARM) templates use JSON, while Bicep provides a cleaner DSL for infrastructure as code. Remember that Azure resources are organised in a hierarchy: Management Groups → Subscriptions → Resource Groups → Resources.