3.1 Microsoft Defender for Cloud
Key Takeaways
- Cloud Security Posture Management (CSPM) is free; the optional Defender CSPM plan adds agentless scanning, attack path analysis, and the cloud security graph
- Secure Score is a single percentage rolled up from security recommendations; each remediated recommendation raises the score proportional to its weighted value
- Defender for Cloud workload plans are billed per resource: Servers Plan 1 and Plan 2, Containers, Storage, Databases (SQL, open-source, Cosmos DB), Key Vault, App Service, APIs, and Resource Manager
- Multicloud connectors onboard AWS accounts and GCP projects so CSPM and workload protection extend across all three clouds from one portal
- Workflow automation triggers a Logic App when a recommendation, secure score change, or security alert fires, enabling auto-remediation and routing
Why Defender for Cloud Matters on SC-200
Microsoft Defender for Cloud is the cloud-native application protection platform (CNAPP) that secures Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources. On the SC-200 exam it sits inside the Manage a security operations environment domain (40-45%), where you are expected to configure posture management, turn on the right workload plans, read the regulatory compliance dashboard, and wire recommendations and alerts into automation.
Defender for Cloud answers two distinct questions:
- Posture — Is my environment configured securely? This is Cloud Security Posture Management (CSPM): continuous assessment, Secure Score, recommendations, and compliance.
- Protection — Is my workload under active attack? This is Cloud Workload Protection (CWP): the paid Defender plans that generate security alerts for runtime threats.
The Two-Layer Model
| Layer | Capability | Cost | SC-200 focus |
|---|---|---|---|
| Foundational CSPM | Secure Score, recommendations, asset inventory, basic compliance | Free, on by default | Reading and remediating recommendations |
| Defender CSPM | Agentless scanning, attack path analysis, cloud security graph, risk prioritization | Paid plan | When to enable for risk-based posture |
| Workload protection (CWP) | Runtime threat alerts per resource type | Paid per Defender plan | Mapping a plan to the workload it protects |
Know the dividing line: posture findings are recommendations; runtime detections are security alerts. Exam scenarios often hinge on which one a given finding is.
Secure Score and Recommendations
Secure Score is a single percentage that summarizes the security posture of all connected subscriptions and cloud accounts. It is calculated from security recommendations, which are grouped into security controls. Each control has a maximum point value; you earn its points only when every unhealthy resource in that control is remediated or the recommendation is exempted.
How the Math Works
- Each security control carries a weighted maximum (for example, Enable MFA historically carries the highest weight).
- Partial remediation yields partial points within a control, proportional to the share of healthy resources.
- The overall Secure Score is the sum of earned control points divided by the total possible, expressed as a percentage.
- Recommendations can be exempted (mitigated or risk-accepted) so they no longer drag the score; exemptions are auditable.
Governance Rules
Defender for Cloud supports governance rules that assign an owner and a due date to a recommendation, set a grace period, and optionally email the owner. This drives accountable remediation instead of an unowned backlog — a common SC-200 scenario when the question asks how to ensure resource owners fix findings on time.
Secure Score % = (sum of earned control points / sum of max control points) x 100
Control points earned = control max x (healthy resources / total resources in control)
A frequently tested distinction: improving Secure Score requires acting on recommendations, not on alerts. Alerts indicate active threats and are handled through incident response, not posture remediation.
The Regulatory Compliance Dashboard
The regulatory compliance dashboard maps Defender for Cloud assessments to industry and regulatory frameworks so you can see, per standard, which controls pass and which fail.
Key Behaviors for the Exam
- The Microsoft Cloud Security Benchmark (MCSB) is assigned by default to every subscription and is the baseline standard.
- Additional standards — for example PCI DSS, ISO 27001, SOC 2, NIST SP 800-53, and CIS benchmarks — can be added to the compliance dashboard.
- Some compliance standards require the Defender CSPM plan or a specific workload plan to be enabled before their controls are assessed.
- Standards are assigned at the scope of a management group, subscription, or cloud account, which lets you apply different baselines to different parts of the estate.
- Compliance status is exportable through continuous export to Log Analytics or Event Hubs, and via scheduled email reports.
Typical SC-200 Scenario
"An auditor needs monthly evidence that all production subscriptions meet PCI DSS." The answer pattern: add the PCI DSS standard to the regulatory compliance dashboard at the production management group scope, then configure a scheduled compliance report or continuous export for evidence — not a Sentinel analytics rule.
Defender Workload Protection Plans
Each Defender plan is enabled and billed independently and generates security alerts for runtime threats against a specific resource type. SC-200 expects you to match a workload to its plan.
| Defender plan | Protects | Representative detections |
|---|---|---|
| Defender for Servers (Plan 1 / Plan 2) | Windows and Linux VMs, on-prem and multicloud machines via Azure Arc | Endpoint detection and response via Defender for Endpoint integration, file integrity monitoring, just-in-time VM access (Plan 2) |
| Defender for Containers | Azure Kubernetes Service, Arc-enabled and EKS/GKE clusters | Runtime threat detection, image vulnerability scanning, Kubernetes plane alerts |
| Defender for Storage | Azure Blob, Files, Data Lake | Malware scanning on upload, sensitive data exposure, anomalous access |
| Defender for Databases | Azure SQL, SQL on VMs, open-source DBs, Cosmos DB | SQL injection, brute force, anomalous queries |
| Defender for Key Vault | Azure Key Vault | Unusual secret/key access patterns |
| Defender for App Service | Azure App Service web apps | Web shell, dangling DNS, reconnaissance |
| Defender for APIs | Azure API Management APIs | API abuse, data exfiltration, suspicious endpoints |
| Defender for Resource Manager | Control-plane (ARM) operations | Suspicious resource deployments, toolkit use |
Defender for Servers Plan 1 delivers core endpoint detection and response through the Microsoft Defender for Endpoint integration. Plan 2 adds capabilities such as just-in-time VM access, file integrity monitoring, adaptive application controls, and the free monthly data ingestion benefit. Knowing the Plan 1 vs Plan 2 split is a common exam discriminator.
Multicloud Connectors
Defender for Cloud is multicloud. You extend posture and protection to AWS and GCP by creating a security connector.
AWS Connector
- Onboards an AWS account (or an AWS Organization for fleet-wide coverage).
- Uses a CloudFormation template or Terraform to create the cross-account IAM role Defender for Cloud assumes.
- Brings AWS resources into CSPM, and optionally Defender for Servers, Defender for Containers (EKS), and Defender for Databases for AWS workloads.
GCP Connector
- Onboards a GCP project or organization.
- Uses workload identity federation so no long-lived service-account keys are stored.
- Extends CSPM and the same workload plans (Servers, Containers/GKE, Databases) to GCP.
Exam Pattern
When a question asks how to get Secure Score and recommendations for AWS EC2 and GCP Compute from the same portal, the answer is to create AWS and GCP security connectors in Defender for Cloud and enable the relevant Defender plans on each connector — not to deploy a separate tool per cloud.
Workflow Automation
Workflow automation in Defender for Cloud triggers a Logic App when a defined event occurs, enabling auto-remediation, ticketing, and notification routing.
Trigger Types
- Security alert created or updated (optionally filtered by severity).
- Recommendation created or updated (filter by recommendation name or state).
- Secure Score change at subscription scope.
How It Is Wired
- Build a Logic App with the Defender for Cloud connector trigger.
- Create a workflow automation rule scoped to a subscription or management group.
- Define the trigger condition and bind it to the Logic App.
- The Logic App runs actions — for example, open a ServiceNow ticket, post to Microsoft Teams, isolate a resource, or call an Azure Function for remediation.
This is distinct from Sentinel automation rules and playbooks: Defender for Cloud workflow automation is scoped to posture and CWP events in Defender for Cloud, while Sentinel automation responds to Sentinel incidents and alerts. SC-200 questions test that you pick the Defender for Cloud mechanism when the trigger is a Defender for Cloud recommendation or secure score change.
A SOC team wants attack path analysis and a cloud security graph that prioritizes posture risk across Azure and onboarded AWS accounts. Which Defender for Cloud capability must be enabled?
An analyst remediated a high-severity Defender for Cloud security alert on an Azure VM but is confused that the subscription's Secure Score did not change. What is the correct explanation?
Compliance requires monthly evidence that all production subscriptions meet PCI DSS. Which Defender for Cloud action best satisfies this?