4.11 Module Summary
Module 4 Summary: Mitigate Threats Using Microsoft Defender for Cloud
What you learned in this module
This module extended your security operations coverage from Microsoft 365 (Modules 1-3) to cloud infrastructure — virtual machines, databases, storage accounts, containers, and application services running in Azure, AWS, GCP, and on-premises environments.
In subsection 4.1, you learned Defender for Cloud’s CNAPP architecture: the distinction between CSPM (proactive posture assessment) and CWP (reactive threat detection), the Defender plans model (free foundational CSPM vs paid plans per workload), how Defender for Cloud integrates with Defender XDR, Sentinel, and the Azure portal, and the Security Graph that powers attack path analysis.
In subsection 4.2, you learned to enable and connect Azure resources: subscription-level plan enablement, auto-provisioning for agent deployment, discovering unprotected resources, and verifying protection coverage across your Azure estate.
In subsection 4.3, you learned to connect hybrid and multi-cloud environments: Azure Arc for on-premises servers, the AWS multi-cloud connector (CloudFormation + IAM role), the GCP connector, and the unified multi-cloud dashboard that provides a single view across all environments. You learned the critical distinction that CSPM is API-based (no agents, works immediately) while CWP requires agents (Arc + MDE) for server-level protection.
In subsection 4.4, you learned CSPM in depth: Secure Score calculation and improvement, security recommendations and the remediation workflow, attack path analysis (discovering exploitation chains and breaking them at the weakest link), and governance rules for automating remediation ownership.
In subsection 4.5, you learned Defender for Servers: Plan 1 vs Plan 2 capabilities, MDE integration for endpoint detection on cloud VMs, just-in-time VM access (reducing the brute-force attack surface), adaptive application controls (allowlisting for zero-day protection), file integrity monitoring, and vulnerability assessment.
In subsection 4.6, you learned Defender for Storage (suspicious access, malware upload, data exposure), Defender for SQL (SQL injection, anomalous access, brute force, data exfiltration), and Defender for App Service (web shell detection, DNS analysis, application anomalies). Each workload type has unique threat detection capabilities matched to its specific threat profile.
In subsection 4.7, you learned Defender for Containers: image scanning (finding vulnerabilities before deployment), runtime protection (detecting suspicious container behaviour), and Kubernetes audit log analysis (detecting API-level attacks). You learned that containers are ephemeral — investigation uses the sensor data in Sentinel, not the container itself.
In subsection 4.8, you learned cloud alert investigation: the alert anatomy, the cloud kill chain (mapping attack phases to alert types), the four-step investigation workflow (cloud context → threat analysis → contain and remediate → posture improvement), worked examples for common alert types (cryptocurrency mining, suspicious ARM operations, anomalous storage access), and alert suppression for false positive management.
In subsection 4.9, you learned regulatory compliance: built-in standards (CIS, NIST, PCI DSS, ISO 27001), the compliance dashboard, adding and customising standards, compliance in the SOC workflow (during incidents, posture reviews, and audit preparation), and translating compliance data into management reports.
In subsection 4.10, you built a complete cross-product investigation for a cloud infrastructure attack: tracing an attacker from identity compromise through privilege escalation, resource deployment, and data exfiltration across Entra ID, Azure Resource Manager, Defender for Cloud, and storage diagnostic logs — producing a unified timeline and comprehensive remediation plan.
Skills checklist
After completing this module, you should be able to confirm:
I can explain CSPM vs CWP and the CNAPP model. I can enable Defender plans for Azure subscriptions and verify coverage. I can connect on-premises servers via Azure Arc, AWS accounts via the multi-cloud connector, and GCP projects. I can assess and improve Secure Score by remediating security recommendations. I can interpret attack paths and identify the most effective link to break. I can configure and manage Defender for Servers (JIT, adaptive controls, FIM, vulnerability assessment). I can investigate security alerts from Storage, SQL, App Service, and Containers. I can map the cloud kill chain to alert types and determine attack stage from alert metadata. I can map cloud security posture to regulatory compliance standards. I can build cross-product investigation timelines combining identity, ARM, and cloud workload data.
SC-200 exam objectives covered
Domain 1 — Manage a SOC Environment: Discover unprotected resources by using Defender for Cloud. Configure cloud workload protections in Microsoft Defender for Cloud.
Domain 2 — Configure Protections and Detections: Configure cloud workload protections in Microsoft Defender for Cloud.
Domain 3 — Manage Incident Response: Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections. Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement.
What comes next
Module 4 completes your protection coverage across M365 (Modules 1-3) and cloud infrastructure (Module 4). The next modules build the SIEM layer that connects all these data sources. Module 7 (Configure Your Microsoft Sentinel Environment) creates the workspace. Module 8 (Connect Logs to Microsoft Sentinel) connects the data connectors — including the Defender for Cloud connector that streams the security alerts and recommendations from this module into your Sentinel workspace for KQL investigation and custom detection rules.