Module 4: Mitigate Threats Using Microsoft Defender for Cloud
Modules 1-3 taught you to investigate threats in the Microsoft 365 environment — endpoints, identities, email, and data. Module 4 extends your coverage to cloud infrastructure. When your organisation runs virtual machines in Azure, databases in Azure SQL, storage accounts holding sensitive data, containers in AKS, and web applications in App Service, those workloads need the same detection and response capabilities that Defender XDR provides for M365.
Microsoft Defender for Cloud is the cloud-native application protection platform (CNAPP) that provides two complementary capabilities: Cloud Security Posture Management (CSPM), which continuously assesses your cloud environment’s configuration against security benchmarks and identifies misconfigurations before attackers exploit them, and Cloud Workload Protection (CWP), which provides runtime threat detection for specific resource types — servers, databases, storage, containers, and application services.
For a SOC analyst, Defender for Cloud generates the security alerts that tell you when a virtual machine is running cryptocurrency mining software, when an Azure SQL database is being targeted by SQL injection, when a storage account is being accessed from a suspicious IP, or when a container is executing unexpected system calls. These alerts land in both the Defender for Cloud portal and in Sentinel (when the connector is configured), and they are investigated using the same skills you built in Modules 1-3.
This module covers all six modules in the Microsoft Learn path “Mitigate threats using Microsoft Defender for Cloud” and adds three subsections that extend coverage to regulatory compliance, cross-product investigation, and operational SOC workflow for cloud security.
Complete Module 0 (lab setup — you need an Azure subscription with Defender for Cloud enabled), Module 1 (Defender XDR — cloud alerts appear in the unified incident queue), and Module 6 (KQL — Defender for Cloud alerts are queryable in Sentinel using SecurityAlert and SecurityRecommendation tables). Azure fundamentals knowledge is helpful but not required — this module explains Azure concepts as they become relevant to security operations.
What you will be able to do after completing this module
After completing this module, you will be able to explain Defender for Cloud’s architecture and the difference between CSPM and CWP. You will enable and configure Defender plans for Azure resources, on-premises servers, and multi-cloud environments (AWS, GCP). You will assess and remediate security posture findings using the secure score, security recommendations, and attack path analysis. You will investigate and remediate security alerts from all Defender for Cloud workload protections — servers, storage, SQL, containers, and app services. You will map your cloud security posture against regulatory compliance standards (CIS, NIST, PCI DSS, ISO 27001). And you will integrate Defender for Cloud data with Sentinel and Defender XDR for cross-product cloud security investigation.
How this module is structured
4.1 — Defender for Cloud Architecture and Foundational Concepts. The starting point. CNAPP, CSPM vs CWP, the Defender plans model, free tier vs paid plans, and how Defender for Cloud fits in the broader Microsoft security ecosystem.
4.2 — Enabling and Connecting Azure Resources. Enabling Defender plans for Azure subscriptions, auto-provisioning agents, connecting Azure VMs, storage, SQL, and other native resources.
4.3 — Connecting Hybrid and Multi-Cloud Environments. Extending Defender for Cloud to on-premises servers (via Azure Arc), AWS accounts (via the multi-cloud connector), and GCP projects. The hybrid and multi-cloud scenario is tested on the SC-200 exam.
4.4 — Cloud Security Posture Management (CSPM). Secure score, security recommendations, attack path analysis, governance rules, and the remediation workflow that turns findings into actions.
4.5 — Defender for Servers: Workload Protection. Plan 1 vs Plan 2, just-in-time VM access, adaptive application controls, file integrity monitoring, and vulnerability assessment for server workloads.
4.6 — Defender for Storage, SQL, and App Service. Protection capabilities and alert types for Azure Storage, Azure SQL, and Azure App Service. Each workload has unique threat detection capabilities.
4.7 — Defender for Containers and Kubernetes. Protection for AKS clusters, container image scanning, runtime threat detection, and Kubernetes audit log analysis.
4.8 — Security Alerts: Investigation and Remediation. The hands-on investigation workflow for Defender for Cloud alerts. Alert triage, evidence analysis, response actions, and the kill chain framework for cloud-specific attacks.
4.9 — Regulatory Compliance and Security Standards. Mapping your cloud posture against compliance frameworks. Built-in standards, custom standards, compliance dashboards, and generating audit-ready reports.
4.10 — Cross-Product Investigation: Defender for Cloud + Sentinel + XDR. Our addition. Building unified investigation timelines that combine cloud infrastructure alerts with identity, endpoint, and data protection evidence.
4.11 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.
4.12 — Check My Knowledge. 20 scenario-based questions covering all subsections.