11.3 Defender Playbook for Protection, Detection, and Posture
Key Takeaways
- Microsoft Defender is a family name, so the workload in the scenario determines the specific Defender product.
- Defender for Cloud protects cloud resources through posture management and workload protection.
- Defender for Cloud Apps focuses on SaaS app discovery and control, not cloud infrastructure posture.
- Microsoft Defender XDR brings signals across Defender services into a broader extended detection and response experience.
Match Defender to the Protected Workload
Microsoft Defender is not one single capability in SC-900. It is a security product family with multiple services that protect different workloads and feed broader detection and response. When a question includes Defender answer choices, pause on the noun being protected. Is it a cloud resource, endpoint device, email message, SaaS application, on-premises identity system, vulnerability exposure, or threat intelligence need?
The biggest trap is Microsoft Defender for Cloud versus Microsoft Defender for Cloud Apps. Defender for Cloud is about cloud security posture management, recommendations, regulatory compliance views, and workload protection for cloud resources. Defender for Cloud Apps is about cloud app security broker scenarios such as SaaS app discovery and control. The names are similar, but the exam clues are different.
| Product or capability | Scenario clues | What to avoid confusing it with |
|---|---|---|
| Microsoft Defender for Cloud | Cloud resources, posture, standards, recommendations, workload protection | Defender for Cloud Apps |
| Microsoft Defender for Endpoint | Endpoint devices, device threats, vulnerability exposure on devices | Network security groups |
| Microsoft Defender for Office 365 | Email and collaboration threats, phishing, malicious attachments | Purview retention labels |
| Microsoft Defender for Cloud Apps | SaaS app discovery, app control, cloud app risk | Defender for Cloud |
| Microsoft Defender for Identity | On-premises Active Directory signals and identity attacks | Entra access reviews |
| Defender Vulnerability Management | Exposure, weaknesses, vulnerability prioritization | Compliance Manager score |
| Defender Threat Intelligence | Threat actor and threat intelligence context | Microsoft Priva |
XDR Means Correlated Detection and Response
- Microsoft Defender XDR is the current name for extended detection and response across Microsoft Defender services.
- The Microsoft Defender portal is the place to recognize when a question describes a unified security operations experience for Defender signals.
- A single Defender workload product is still chosen when the scenario narrows to one protected workload.
- Sentinel is separate from Defender XDR even though both can support security operations.
Defender for Cloud belongs in both product-selection and cloud-security posture review. If a scenario asks for recommendations, security policies, standards, regulatory compliance posture, secure score, or cloud workload protection, Defender for Cloud is a strong candidate. If the scenario asks for Azure Firewall, Web Application Firewall, network security groups, or Azure Bastion, those are Azure infrastructure controls rather than Defender services.
Defender for Office 365 and Defender for Endpoint are easier if you track the workload. Email, collaboration, phishing, and malicious attachment scenarios point to Office 365 protection. Device compromise, endpoint investigation, and device vulnerability language point to Endpoint. On-premises Active Directory attack detection points to Defender for Identity. SaaS app discovery and control points to Cloud Apps.
The exam may also combine products in a realistic security operations story. For example, Defender for Endpoint can generate endpoint alerts, Defender XDR can correlate signals, and Sentinel can ingest data and run SIEM or SOAR workflows. In a question with only one best answer, choose the product that owns the requested action. Detecting threats on a device is not the same request as automating an incident response playbook.
A company wants recommendations and posture management for cloud resources. Which Defender product is the best match?
A question mentions SaaS application discovery and control. Which product should you choose?
A scenario describes phishing and malicious email attachments. Which Defender workload service is most directly aligned?