8.6 Vulnerability Management and Threat Intelligence
Key Takeaways
- Defender Vulnerability Management is the Defender capability to associate with weaknesses and exposure.
- Defender Threat Intelligence is the Defender capability to associate with threat context and intelligence.
- Both capabilities are listed in the SC-900 Microsoft security solutions boundary.
- Use product names and scenario cues; do not replace them with Sentinel, Purview, or Entra answers.
Exposure and Threat Context
The source brief lists Defender Vulnerability Management and Defender Threat Intelligence as Microsoft security solution topics for SC-900. These names are descriptive, so use them carefully. Vulnerability Management points to weaknesses, exposure, and prioritization of security improvements. Threat Intelligence points to information and context about threats.
These capabilities are part of the Defender XDR chapter because they support security decision-making across the Defender family. They are not Microsoft Purview compliance features, not Microsoft Entra role governance features, and not Microsoft Sentinel SIEM and SOAR features. A question that asks for vulnerability or threat intelligence wording should remain in the Defender security solutions lane unless it clearly asks for Sentinel analytics or hunting.
| Scenario cue | Defender capability | Avoid choosing |
|---|---|---|
| Identify and prioritize vulnerabilities | Defender Vulnerability Management | Microsoft Purview Compliance Manager |
| Understand threat context or intelligence | Defender Threat Intelligence | Microsoft Entra access reviews |
| Investigate Defender incidents in one portal | Microsoft Defender XDR | Microsoft Sentinel workbooks |
| Search across SIEM data with hunting | Microsoft Sentinel | Defender Threat Intelligence |
A common trap is treating every threat word as Sentinel. Sentinel is the answer for SIEM, SOAR, centralized security analysis, analytics, hunting, workbooks, incidents in Sentinel, automation rules, and playbooks. Defender Threat Intelligence is the better match when the prompt is specifically asking for threat intelligence as a Defender capability. The difference is whether the question is about security operations analysis or threat context.
Another trap is treating vulnerability management as compliance score. Microsoft Purview Compliance Manager and compliance score belong to the compliance solutions domain. Defender Vulnerability Management belongs to the security solutions domain and is tied to weaknesses and exposure. Both can help an organization reduce risk, but they are not the same exam answer.
Use these final product cues:
-
Vulnerability or exposure wording means Defender Vulnerability Management.
-
Threat intelligence or threat context wording means Defender Threat Intelligence.
-
Defender portal and cross-service incidents mean Microsoft Defender XDR.
-
SIEM, SOAR, hunting, workbooks, or playbooks mean Microsoft Sentinel.
-
Labels, DLP, retention, eDiscovery, audit, or compliance score mean Microsoft Purview.
For SC-900, you should be able to eliminate answers by domain. Vulnerability Management and Threat Intelligence are security solution topics within the Defender family, so choose them when the scenario names those needs directly.
Exposure and Intelligence Decision Check
These names are descriptive, so let them guide the answer. Vulnerability Management is the safer match for weaknesses and exposure. Threat Intelligence is the safer match for threat context. If the prompt shifts to SIEM hunting or playbooks, it has moved out of this Defender capability pair and into Sentinel.
-
Vulnerability wording means Defender Vulnerability Management.
-
Threat intelligence wording means Defender Threat Intelligence.
-
SIEM, SOAR, hunting, and playbooks mean Microsoft Sentinel.
Which Defender capability best matches identifying and prioritizing vulnerabilities?
Which Defender capability best matches threat intelligence and threat context?
Which scenario should point away from Defender Threat Intelligence and toward Microsoft Sentinel?