11.3 Defender Playbook for Protection, Detection, and Posture

Match Defender to the Protected Workload

Microsoft Defender is not one capability in SC-900. It is a security product family whose services protect different workloads and feed broader detection and response. When a question offers Defender answer choices, pause on the noun being protected. Is it a cloud resource, an endpoint device, an email message, a SaaS application, an on-premises identity system, a vulnerability exposure, or a threat-intelligence need? Naming the workload almost always selects the service.

The single biggest trap is Microsoft Defender for Cloud versus Microsoft Defender for Cloud Apps. Defender for Cloud is cloud security posture management (CSPM) plus cloud workload protection: recommendations, security standards, regulatory compliance views, secure score, and multicloud resource protection. It is the rebrand of Azure Security Center and Azure Defender. Defender for Cloud Apps is a cloud access security broker (CASB) for SaaS app discovery, app risk scoring, and session control; it is the rebrand of Microsoft Cloud App Security (MCAS). "

XDR Means Correlated Detection and Response

Above the individual workload services sits the correlation layer:

• Microsoft Defender XDR is the current name for extended detection and response across Microsoft Defender services. It was formerly called Microsoft 365 Defender.
• The Microsoft Defender portal is the unified console where XDR stitches endpoint, email, identity, and cloud-app signals into combined incidents.
• A single Defender workload product is still the answer when the scenario narrows to one protected workload.
• Microsoft Sentinel is a separate SIEM/SOAR product even though Sentinel's experience is converging into the Defender portal; XDR correlates Microsoft-native signals, while Sentinel ingests data from any source.

Defender for Cloud earns extra attention because it appears in both product-selection and cloud-posture review questions. If a scenario asks for recommendations, security policies, regulatory compliance posture, secure score, or cloud workload protection, Defender for Cloud is the strong candidate. If the scenario asks about Azure Firewall, Web Application Firewall, network security groups (NSGs), Azure Bastion, or Azure DDoS Protection, those are Azure infrastructure controls rather than Defender services and are usually distractors.

Track the Workload, Avoid the Swap

Defender for Office 365 and Defender for Endpoint are easy to separate if you track the workload. Email, collaboration, phishing, and malicious-attachment scenarios point to Office 365 protection. Device compromise, endpoint investigation, and device-vulnerability language point to Endpoint. On-premises Active Directory attack detection (such as lateral movement or pass-the-hash) points to Defender for Identity — and note that this is on-premises AD signal analysis, distinct from Entra ID Protection, which scores cloud identity risk. SaaS app discovery and shadow-IT control point to Cloud Apps.

The exam may combine products in a realistic story. Defender for Endpoint can raise endpoint alerts, Defender XDR can correlate those alerts with email and identity signals into one incident, and Sentinel can ingest the data for SIEM analytics and SOAR playbooks. In a single-best-answer question, choose the product that owns the requested action. Detecting a threat on a device is not the same request as correlating multi-workload Microsoft signals, which is not the same request as automating an incident-response playbook across every source. Name the action, then pick the layer.

Posture Versus Protection, and Azure Infrastructure Distractors

Defender for Cloud splits into two ideas the exam loves to test side by side. Cloud security posture management (CSPM) is the preventive, always-on side: it continuously assesses configuration against security standards, raises recommendations, and rolls them into a secure score so teams can prioritize remediation. Cloud workload protection (CWP), delivered through the Defender plans (for example Defender for Servers, Defender for Storage, Defender for SQL, and Defender for Containers), is the detective, threat-focused side that generates security alerts for active threats against those resources.

A prompt about "improving our security score" or "seeing recommendations against a standard" is CSPM; a prompt about "alerting on an attack against a SQL database or storage account" is CWP. Both live inside Defender for Cloud.

The Azure infrastructure controls are the second big distractor set, and they are not Defender products. Azure Firewall is a managed, stateful network firewall. A network security group (NSG) filters traffic to and from Azure resources at the subnet or NIC level. Azure DDoS Protection defends against volumetric network attacks. Azure Bastion provides secure RDP/SSH connectivity without exposing public IPs. Web Application Firewall (WAF), part of Application Gateway or Front Door, protects web apps from common exploits like SQL injection. These are defense-in-depth network and perimeter controls.

When a scenario describes a network control rather than posture assessment, workload threat detection, or identity, the answer is one of these Azure services — and a Defender option in the list is the trap. Knowing this clean split between Defender services (posture and threat protection) and Azure infrastructure security (network and perimeter) resolves a meaningful slice of the security-solutions domain, which carries roughly 25 to 30 percent of the exam.