Module 4 — Check My Knowledge (20 questions)
1. What is the difference between CSPM and CWP in Defender for Cloud?
CSPM continuously assesses resource configurations against security benchmarks (proactive — finds misconfigurations). CWP provides runtime threat detection for specific workload types (reactive — detects active attacks). Together they form CNAPP: CSPM prevents the conditions that enable attacks, CWP detects attacks against the remaining surface.
CSPM is for Azure, CWP is for AWS and GCP
CSPM generates alerts, CWP generates recommendations
They are the same — CSPM is the old name for CWP
CSPM = proactive posture (recommendations). CWP = reactive detection (alerts). Both apply to all connected clouds (Azure, AWS, GCP). The CNAPP model combines both for complete cloud security.
2. Your organisation has 100 on-premises servers. You want Defender for Cloud CSPM assessment and CWP threat detection. What do you need?
Azure Arc + Defender for Servers. Arc-enable each server (install the Connected Machine agent), then enable Defender for Servers on the subscription. Auto-provisioning deploys MDE and the monitoring agent. The servers receive both CSPM recommendations and CWP alerts — the same protection as Azure VMs.
Move servers to Azure — on-premises is not supported
Install MDE only — Defender for Cloud is Azure-only
VPN connection to Azure is sufficient
Azure Arc is the bridge. Without Arc, on-premises servers are invisible to Defender for Cloud.
3. You connect an AWS account for CSPM. Do you need agents on EC2 instances?
Not for CSPM — it is API-based. Defender for Cloud reads AWS resource configurations through the IAM role. For CWP (runtime threat detection) on EC2 instances, you need Arc + MDE agents.
Yes — all EC2 instances need the Arc agent for any protection
No — CWP also works without agents on AWS
AWS is not supported by Defender for Cloud
CSPM = API, no agents. CWP = agents (Arc + MDE). This distinction is tested on the SC-200 exam.
4. Your Secure Score dropped from 75% to 68% this week. Nothing was changed on existing resources. What happened?
New resources were deployed without security controls. New non-compliant resources increase the total recommendation count (denominator), reducing the percentage. Implement governance rules and deployment policies to ensure new resources include security controls from day one.
Microsoft changed the scoring algorithm
A Defender plan was disabled
An attacker modified the score
New resource deployment without security controls is the most common cause of Secure Score decline.
5. An attack path shows: Internet → VM with public IP and CVE → lateral movement to SQL → customer database. You can fix one link. Which one?
Patch the CVE on the entry-point VM. This eliminates the exploitation opportunity at step 1, preventing the entire chain. A known CVE with public exploit code on an internet-facing VM is the most immediately exploitable link.
Enable encryption on the database
Restrict network between VM and SQL
Remove the VM's public IP
Patch the most immediately exploitable link first. The CVE at the entry point is the highest risk.
6. A production web server receives thousands of brute-force SSH attempts daily. Which Defender for Servers feature eliminates this attack surface?
Just-in-time (JIT) VM access. JIT closes port 22 by default and opens it only on demand, only from the requester's IP, only for a limited time. Closed ports cannot be brute-forced.
Adaptive application controls
File integrity monitoring
Vulnerability assessment
JIT eliminates the SSH brute-force attack surface at the network level. Other features detect consequences of a successful brute force but do not prevent the attempts.
7. A zero-day malware executes on a server with adaptive application controls in enforce mode. What happens?
The malware is blocked. Adaptive controls allowlist known-good applications. Unknown applications — including zero-day malware — are blocked by default. The malware does not need to be identified as malicious; it is blocked because it is not identified as legitimate.
The malware runs — adaptive controls only detect, not block
The malware runs — zero-day means undetectable
MDE blocks it first — adaptive controls are secondary
Application allowlisting inverts the detection model: block everything not explicitly allowed. Zero-day malware is not on the allowlist. Blocked.
8. Defender for Storage alerts: "Access from a Tor exit node using account key." What is the most urgent action?
Rotate all storage account keys immediately. The key has been compromised. Rotation invalidates all existing keys, stopping any ongoing or future access by the attacker using the stolen key.
Block the Tor exit node IP in the NSG
Disable the storage account
Investigate first — this may be a false positive
Key rotation is urgent because the attacker has persistent, independent access via the stolen key. Blocking one Tor IP does not help — Tor has thousands of exit nodes. Key rotation is the definitive containment.
9. Defender for SQL detects "Potential SQL injection" on your database. How do you determine if it was successful?
Check the database audit log for data access from the same session and check the application HTTP response (200 OK with data = likely successful; 500 error = likely failed). Block the source IP immediately while investigating.
The alert automatically indicates success or failure
SQL injection attempts always fail if parameterised queries are used
Ignore it — automated scanners never succeed
Defender for SQL detects the injection pattern, not the outcome. Success determination requires checking the database audit log and application logs. Block the IP first, then investigate.
10. A crypto mining alert fires on a VM. The kill chain intent is "Execution." What does this mean about the attack stage?
The VM is already compromised and running the attacker's payload. Execution is a mid-stage kill chain phase — the attacker has completed initial access and is actively operating. The mining software is running right now. Immediate containment required.
The attack is just starting — early stage
The VM is being scanned but not yet compromised
Informational only — monitor but no containment needed
Execution = active attacker payload. Crypto mining = confirmed compromise. Immediate containment is required.
11. After containing a compromised VM, you check Defender for Cloud recommendations and find the VM was non-compliant with 3 recommendations that existed before the incident. How do you use this?
Document in the incident report as root cause enabling factors. The pre-existing recommendations represent posture gaps that enabled the attack. This evidence supports the posture improvement step (step 4 of cloud IR) and justifies remediation investment to management: "These recommendations existed before the incident. Had they been implemented, the attack would have been prevented or detected earlier."
Ignore — recommendations are not related to incidents
Report the compliance failure to the auditor
Remove the recommendations to prevent them showing up again
Connecting incidents to posture gaps is the most effective way to drive security investment. Pre-existing recommendations that were not implemented become the root cause analysis in the incident report.
12. Your organisation needs PCI DSS compliance evidence for an audit. How does Defender for Cloud help?
Add PCI DSS to the regulatory compliance dashboard. Defender for Cloud maps its recommendations to PCI controls, showing pass/fail status. Export the report as audit evidence. Remediate failing controls before the audit.
Defender for Cloud automatically makes your environment PCI compliant
A separate compliance tool is required
PCI DSS is not supported by Defender for Cloud
Defender for Cloud provides continuous compliance monitoring and reporting — not automatic compliance, but the visibility and remediation guidance needed to achieve and maintain it.
13. Which Defender for Cloud capability is free for all Azure subscriptions?
Foundational CSPM — providing Secure Score, basic security recommendations, and Azure Security Benchmark assessment. It is enabled by default on every Azure subscription. Paid plans add advanced CSPM (attack paths, governance) and CWP (threat detection per workload).
Defender for Servers Plan 1
All Defender plans are free for the first 30 days
Nothing — all Defender for Cloud capabilities are paid
Foundational CSPM is free. Many organisations do not realise they already have CSPM data. Check your Defender for Cloud dashboard — the Secure Score and recommendations are available right now.
14. The Azure Activity Log shows an unknown identity created a VM in Brazil South at 03:16. Your organisation only operates in UK South and West Europe. What does this indicate?
Credential compromise with crypto mining deployment. An attacker obtained Azure admin credentials and is deploying a mining VM in an unused region to avoid detection. Immediate actions: investigate the compromised identity, delete the VM, revoke the role assignment, implement Azure Policy restricting VM deployment to authorised regions.
A developer testing in a new region
Azure load balancing to a closer region
False positive — Defender for Cloud is too sensitive
VM creation in an unused region by an unknown identity at 03:16 is a classic cloud credential compromise indicator. Region-locked Azure Policy prevents this.
15. An attacker compromises admin credentials and runs storageAccounts/listKeys at 03:22. You discover this at 08:00. What containment action stops ongoing data access via the stolen keys?
Rotate all storage account keys. The attacker has the keys and can use them independently of the identity — key-based access does not require Entra ID authentication. Password reset and session revocation do not invalidate storage keys. Only key rotation stops key-based access.
Reset the admin password
Revoke the admin's sessions
Block the attacker's IP in the NSG
Storage account keys provide independent access — they are not tied to user sessions. Key rotation is the only action that invalidates stolen keys.
16. A container image in ACR has a critical CVE. It is deployed to 15 production pods. What is the remediation approach?
Patch the base OS in the container image, rebuild the image, push to ACR, then trigger a rolling deployment to replace running pods with the patched image. Additionally, implement admission control policies that block deployment of images with critical CVEs in the future.
Terminate all 15 pods immediately
Patch the OS on each container individually
Containers are ephemeral — the CVE will resolve itself
Container remediation is image-level. Fix the image, redeploy. Terminating pods without a patched image just restarts them from the same vulnerable image. You cannot patch individual containers — they are immutable.
17. Which posture improvement prevents credential compromise from leading to Azure resource abuse?
Conditional access requiring compliant device + trusted location for Azure Resource Manager access. Even with valid stolen credentials, the attacker is blocked at authentication because their device and location do not meet the conditional access requirements. This prevents all subsequent ARM operations.
MFA — it blocks stolen credentials
Azure Policy restricting VM regions
Defender for Cloud alerts
MFA can be bypassed (AiTM, compromised MFA device). Azure Policy restricts specific operations but not access. Alerts detect but do not prevent. Conditional access with device compliance prevents access at the authentication layer — the most effective single control.
18. What is the Foundational CSPM Secure Score based on?
The percentage of Defender for Cloud security recommendations that are implemented. Each recommendation evaluates a specific configuration against the Azure Security Benchmark. Implemented recommendations = passed controls. Unimplemented recommendations = failed controls. The score is earned points / total possible points × 100%.
The number of active security alerts
The number of Defender plans enabled
An AI-generated assessment of overall security
The Secure Score is deterministic — it is based on specific, measurable recommendation compliance. Each point can be earned by implementing a specific remediation. It is not a subjective assessment.
19. Where do Defender for Cloud security alerts appear for SOC investigation?
Three places: the Defender for Cloud alerts page in the Azure portal, the Defender XDR unified incident queue (if integration enabled), and Microsoft Sentinel (SecurityAlert table, if connector configured). The SOC typically triages in Defender XDR and investigates deeply in Sentinel.
Only in the Azure portal
Only in Sentinel
Only in the Defender XDR portal
Defender for Cloud alerts flow to three investigation surfaces. The Azure portal provides resource-level context. Defender XDR provides correlation with M365 alerts. Sentinel provides KQL investigation. Use all three appropriately.
20. After a cloud security incident, you add "posture improvement" as step 4 of your investigation workflow. Why is this step unique to cloud IR compared to traditional endpoint IR?
Cloud infrastructure is defined by configuration — misconfigurations that enabled the attack can be fixed programmatically (Azure Policy, ARM templates, Terraform) to prevent recurrence across the entire environment. Traditional endpoint IR fixes individual machines. Cloud IR fixes the configuration template that governs all machines. Posture improvement means fixing the root cause at the infrastructure-as-code level, not just on the compromised resource, so the same misconfiguration cannot exist on any resource in the environment.
Posture improvement is not unique to cloud — it applies to all IR
Cloud IR does not include containment — only posture improvement
Posture improvement means upgrading to more expensive Defender plans
Cloud infrastructure is code. Misconfigurations can be fixed at the template level, preventing them from ever being deployed again. This is the cloud IR advantage: each incident improves the posture for the entire environment, not just the affected resource. The CSPM recommendations that existed before the incident become the posture improvement actions in the incident report.
