This chapter covers threat and vulnerability management within Microsoft's security solutions, a key area for the SC-900 exam. You will learn how Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Azure Security Benchmark work together to identify, assess, and remediate vulnerabilities and threats. Approximately 15-20% of SC-900 questions relate to these security management capabilities, making this a high-yield topic for the exam.
Jump to a section
Imagine a large corporate building with multiple floors, each floor representing a different workload (servers, containers, databases, storage accounts). The building has a Security Operations Center (SOC) on the ground floor. The SOC constantly receives alerts from smoke detectors, motion sensors, and door sensors placed throughout the building. When a sensor triggers, the SOC operator checks a central dashboard that shows the exact location, severity, and type of alert. The operator can then take immediate action: lock down a floor, dispatch a guard, or call the fire department. Additionally, the SOC performs regular vulnerability scans by sending out a team to check every door lock, window latch, and alarm system, and reports any weaknesses. Over time, the SOC builds a baseline of normal activity—like which doors are used frequently and at what times—and can detect anomalies, such as a door opening at 3 AM when no one should be there. The SOC also integrates with external threat intelligence feeds (like police bulletins about recent break-ins) to prioritize alerts. In this analogy, Microsoft Defender for Cloud is that SOC: it continuously monitors your hybrid and multi-cloud environments, assesses vulnerabilities, provides security recommendations, and uses advanced analytics to detect and respond to threats. Just as the SOC can be configured to automatically lock doors when a fire alarm is triggered, Defender for Cloud can automatically remediate certain misconfigurations or initiate response actions via Azure Policy and logic apps.
What is Threat and Vulnerability Management?
Threat and vulnerability management (TVM) is the continuous process of identifying, evaluating, prioritizing, and remediating security weaknesses in an organization's IT infrastructure. In the Microsoft ecosystem, TVM is primarily delivered through Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender). Defender for Cloud provides unified security management across hybrid and multi-cloud workloads, including Azure, on-premises, and other cloud providers like AWS and GCP.
How Microsoft Defender for Cloud Works
Defender for Cloud operates via two main pillars: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). CSPM focuses on identifying misconfigurations and compliance violations using Azure Policy and security benchmarks. CWP provides threat detection and advanced defenses for specific workload types (VMs, databases, containers, etc.).
#### Key Components: - Azure Policy: Enforces rules on Azure resources. Defender for Cloud uses built-in policies mapped to security benchmarks. For example, a policy might require that all storage accounts have HTTPS-only traffic enabled. - Security Recommendations: Generated when a resource violates a policy. Each recommendation has a severity level (High, Medium, Low) and a remediation step. Examples: "Vulnerabilities in Azure Container Registry images should be remediated" or "MFA should be enabled on accounts with owner permissions on subscriptions." - Secure Score: A numerical value (0-100%) that indicates your overall security posture. It is calculated based on the compliance status of recommendations. Each recommendation contributes a certain number of points. When you remediate a recommendation, your secure score increases. The formula is: (Number of healthy resources / Total number of resources for a recommendation) * Max points for that recommendation. - Vulnerability Assessment: Integrated with Qualys or Microsoft Defender for Cloud's own vulnerability scanner (built-in for VMs and container registries). Scans check for missing patches, weak configurations, and known CVEs. - Threat Detection: Uses machine learning and behavioral analytics to detect suspicious activities, such as unusual RDP/SSH attempts, malware, or data exfiltration. Alerts are generated with severity levels (Informational, Low, Medium, High).
Step-by-Step Mechanism
Policy Assignment: When you enable Defender for Cloud on a subscription, it automatically assigns the Azure Security Benchmark initiative (a set of Azure Policy definitions). This initiative includes hundreds of policies that check resource configurations.
Continuous Assessment: The Defender for Cloud agent (or Azure Policy engine) continuously evaluates resources against these policies. For VMs, the Log Analytics agent collects security-relevant logs (event logs, syslog, performance counters).
Recommendation Generation: If a resource fails a policy check, a recommendation is created. For example, if a VM lacks endpoint protection, the recommendation "Endpoint protection should be installed on your machines" appears.
Secure Score Calculation: Each recommendation has a maximum score (e.g., 10 points). The secure score is the sum of achieved points divided by total possible points. Remediating a recommendation adds points to your score.
Vulnerability Scanning: For VMs, you can enable the built-in vulnerability assessment solution (Qualys or Microsoft Defender for Cloud scanner). Scans run weekly and report vulnerabilities with severity and CVSS scores.
Threat Alerts: When suspicious activity is detected (e.g., multiple failed logins from a known malicious IP), an alert is generated. Alerts include details like affected resource, time, and recommended response.
Automation: Using Azure Logic Apps, you can create automated responses to alerts or recommendations. For example, when a high-severity alert fires, automatically create a ticket in ServiceNow.
Integration with Microsoft Sentinel
Defender for Cloud sends security alerts to Microsoft Sentinel, the cloud-native SIEM/SOAR. This allows correlation with other data sources (e.g., Office 365, Azure AD) for advanced threat hunting and incident response.
Default Values and Timers
Secure Score Update: Every 24 hours, but can be refreshed manually.
Vulnerability Scan Frequency: Weekly by default for VMs; on-demand for container images.
Alert Retention: Up to 90 days in Defender for Cloud; longer if sent to Sentinel.
Policy Evaluation Cycle: Every 24 hours for Azure Policy; near real-time for some configurations (e.g., network security groups).
Configuration and Verification Commands
While SC-900 does not require deep command-line knowledge, familiarity with Azure CLI and PowerShell can help. Example Azure CLI command to view recommendations:
az security recommendation list --query "[?severity=='High']"Example to enable Defender for Cloud on a subscription:
az security pricing create --name 'VirtualMachines' --tier 'Standard'Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
This is a CASB (Cloud Access Security Broker) that extends TVM to SaaS applications like Office 365, Salesforce, and Dropbox. It discovers shadow IT, assesses app risk, and enforces policies (e.g., session controls to block downloads from risky locations).
Azure Security Benchmark
A set of security best practices based on common compliance frameworks (CIS, NIST, PCI). It provides prescriptive guidance for securing Azure workloads. Defender for Cloud uses the Azure Security Benchmark as its default policy initiative.
Microsoft Defender Vulnerability Management
Built into Microsoft Defender for Endpoint, this provides real-time vulnerability detection and prioritization for endpoints. It uses a risk-based approach, factoring in threat intelligence, exploitability, and business context.
Key Terms for the Exam
CSPM: Cloud Security Posture Management - focuses on configuration and compliance.
CWP: Cloud Workload Protection - focuses on threat detection and advanced defenses.
Secure Score: A metric to measure security posture.
Recommendations: Actionable steps to improve security.
Vulnerability Assessment: Scanning for known vulnerabilities.
Threat Detection: Identifying active attacks.
Azure Security Benchmark: A set of security guidelines.
Exam Trap: Confusing Secure Score with Compliance Score
Secure Score measures adherence to security best practices (Azure Security Benchmark). Compliance Score (in Microsoft Compliance Manager) measures adherence to regulatory standards like GDPR or HIPAA. They are different. The exam may ask which tool provides a specific score.
Exam Trap: Overlooking Hybrid Capabilities
Defender for Cloud supports on-premises and other clouds via Azure Arc. Questions may test that Defender for Cloud can protect non-Azure resources, not just Azure VMs.
Exam Trap: Assuming All Recommendations Are Remediated Automatically
Most recommendations require manual remediation, but some can be automated via Azure Policy's 'DeployIfNotExists' effect or Logic Apps. The exam may present a scenario where automatic remediation is possible.
Summary
Threat and vulnerability management in Microsoft's ecosystem is a multi-layered approach combining posture management, vulnerability scanning, threat detection, and automated response. Defender for Cloud is the central console, while Defender for Cloud Apps, Microsoft Sentinel, and Azure Security Benchmark complement its capabilities. For SC-900, focus on understanding the purpose of each service, how secure score works, and the difference between CSPM and CWP.
Enable Defender for Cloud on Subscription
Navigate to Microsoft Defender for Cloud in the Azure portal. On the 'Getting started' page, select the subscription(s) you want to protect. Click 'Upgrade' to enable the enhanced security features (Standard tier) which include threat detection and vulnerability assessment. The free tier (CSM) only provides posture management and secure score. Once enabled, Defender for Cloud automatically assigns the Azure Security Benchmark initiative and begins assessing resources. The initial assessment may take up to 24 hours to complete. You can verify enablement via the 'Environment settings' blade.
Review Secure Score and Recommendations
Go to 'Secure score' in Defender for Cloud. Here you see your overall score and a breakdown by control groups (e.g., 'Enable MFA', 'Remediate vulnerabilities'). Each control has a list of recommendations. Click on a recommendation to see affected resources and remediation steps. For example, 'Vulnerabilities in virtual machines should be remediated' shows which VMs have missing patches. The secure score is calculated based on the percentage of healthy resources for each recommendation. Remediating a high-severity recommendation adds more points than a low-severity one.
Enable Vulnerability Assessment for VMs
In Defender for Cloud, under 'Recommendations', find 'A vulnerability assessment solution should be enabled on your virtual machines'. Select the recommendation and choose 'Quick fix!' to deploy the built-in vulnerability assessment solution (powered by Qualys) on the affected VMs. This installs an extension that scans the VM weekly. Scans check for missing OS patches, weak configurations, and known CVEs. Results appear in the 'Vulnerabilities' blade. Alternatively, you can use Microsoft Defender for Cloud's integrated vulnerability scanner (available with Microsoft Defender for Servers).
Configure Threat Detection Alerts
Under 'Security alerts', you can view alerts generated by Defender for Cloud. Alerts are categorized by severity (High, Medium, Low, Informational). Each alert includes a description, affected resource, and recommended response. You can configure alert notifications via email or integrate with SIEM (e.g., Microsoft Sentinel) using continuous export. To set up email notifications, go to 'Environment settings' -> 'Email notifications' and specify recipients. For advanced automation, use 'Workflow automation' to trigger Logic Apps on specific alerts.
Implement Automatic Remediation with Azure Policy
Some recommendations can be remediated automatically using Azure Policy's 'DeployIfNotExists' effect. For example, the recommendation 'Endpoint protection should be installed on your machines' can be configured to automatically deploy Microsoft Antimalware to VMs that lack it. To do this, go to 'Security policy' in Defender for Cloud, select the initiative, and enable the policy with a 'DeployIfNotExists' effect. This policy runs during the next evaluation cycle and installs the extension without manual intervention. Note: Not all recommendations support automatic remediation; check the 'Remediation' tab.
Enterprise Scenario 1: Multi-Cloud Security Posture Management
A large enterprise runs workloads in Azure, AWS, and on-premises. They use Azure Arc to connect non-Azure servers to Azure, and enable Defender for Cloud on all environments. Defender for Cloud provides a unified dashboard showing secure score across clouds. They discover that many AWS S3 buckets are publicly accessible, a high-severity misconfiguration. The security team creates a custom Azure Policy (via Azure Policy for AWS) to detect and alert on public buckets. They also use Defender for Cloud's 'Regulatory compliance' dashboard to track adherence to PCI DSS across all clouds. The secure score improves from 40% to 75% after remediating critical findings.
Scenario 2: Vulnerability Management for Containerized Workloads
A fintech company uses Azure Kubernetes Service (AKS) and Azure Container Registry (ACR). They enable Defender for Cloud with the container security plan. Defender for Cloud scans container images in ACR for vulnerabilities (CVEs) and provides recommendations like 'Container images should be scanned for vulnerabilities'. They set up a Logic App that automatically blocks deployment of any pod using an image with a critical CVE. Additionally, Defender for Cloud monitors runtime security for AKS clusters, detecting suspicious container activities (e.g., crypto mining). The security team receives an alert when a container attempts to mount the host filesystem, indicating a potential escape attempt.
Scenario 3: Automated Response to Threat Alerts
A healthcare organization uses Microsoft Sentinel as its SIEM. Defender for Cloud sends all high-severity alerts to Sentinel. They create a Sentinel analytics rule that, when a user logs in from an impossible travel location and accesses sensitive patient data, automatically triggers a playbook. The playbook disables the user's account in Azure AD, blocks the IP in Azure Firewall, and creates an incident in ServiceNow. This automated response reduces the mean time to respond (MTTR) from hours to minutes. The organization also uses Defender for Cloud's 'Just-in-time VM access' to reduce the attack surface by locking down RDP/SSH ports until explicitly requested.
Common Pitfalls in Production
Overlooking Azure Arc: Many organizations forget to extend Defender for Cloud to on-premises servers, leaving them unprotected.
Ignoring Low-Severity Recommendations: While low-severity recommendations contribute few points, they can accumulate and indicate systemic issues (e.g., missing logging).
Misconfiguring Automation: Logic Apps that fire on every alert can cause alert fatigue. Proper tuning is essential.
Secure Score Gaming: Some teams remediate only easy recommendations to boost score without addressing critical vulnerabilities. This creates a false sense of security.
Exactly What SC-900 Tests on Threat and Vulnerability Management
SC-900 objective 3.3 focuses on 'Describe the capabilities of Microsoft security solutions for threat and vulnerability management.' Specifically, the exam tests your ability to: - Identify the primary tool for CSPM and CWP: Microsoft Defender for Cloud. - Understand the purpose of Secure Score: Measure of security posture based on policy compliance. - Distinguish between recommendations and alerts: Recommendations are proactive (fix misconfigurations); alerts are reactive (detect threats). - Know the role of Azure Security Benchmark: A set of security best practices used by Defender for Cloud. - Recognize integration points: Defender for Cloud sends alerts to Microsoft Sentinel; Defender for Cloud Apps protects SaaS apps. - Identify vulnerability assessment options: Built-in (Qualys) and Microsoft Defender for Cloud's scanner.
Most Common Wrong Answers and Why Candidates Choose Them
1. Q: Which tool provides a unified view of security posture across Azure, on-premises, and other clouds? - Wrong answer: Microsoft Sentinel. Many candidates think SIEM is the central console. But Sentinel is for SIEM/SOAR, not posture management. Defender for Cloud is the correct answer. 2. Q: What is Secure Score? - Wrong answer: A measure of compliance with regulatory standards. Candidates confuse Secure Score with Compliance Score. Secure Score measures adherence to Azure Security Benchmark, not specific regulations. 3. Q: Which service detects threats in real-time? - Wrong answer: Azure Policy. Azure Policy is for configuration enforcement, not threat detection. Defender for Cloud (with enhanced security) provides threat detection. 4. Q: How often does Defender for Cloud scan VMs for vulnerabilities? - Wrong answer: Daily. The default is weekly. Candidates assume continuous scanning, but it's weekly to reduce performance impact.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
Secure Score range: 0-100%.
Vulnerability scan frequency: Weekly.
Defender for Cloud tiers: Free (CSPM only) and Standard (CWP).
Azure Security Benchmark: Default policy initiative.
Microsoft Defender for Cloud Apps: CASB.
Microsoft Sentinel: SIEM/SOAR.
Edge Cases and Exceptions the Exam Loves to Test
Hybrid support: Defender for Cloud can protect non-Azure resources via Azure Arc.
Multi-cloud support: Supports AWS and GCP (via connectors).
Automatic remediation: Not all recommendations support automatic remediation; only those with 'DeployIfNotExists' policy effect.
Alert types: Some alerts are based on behavioral analytics, not just signature-based.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about 'posture management' or 'configuration compliance', think Defender for Cloud (CSPM).
If it asks about 'threat detection' or 'advanced protection', think Defender for Cloud (CWP) or Microsoft Defender for Cloud Apps.
If it asks about 'correlating alerts across multiple sources', think Microsoft Sentinel.
If it asks about 'vulnerability scanning', think Defender for Cloud's vulnerability assessment.
If it asks about 'shadow IT discovery', think Microsoft Defender for Cloud Apps.
Use the mnemonic: CSPM = Config, CWP = Threat.
Microsoft Defender for Cloud is the central tool for cloud security posture management (CSPM) and cloud workload protection (CWP).
Secure Score ranges from 0% to 100% and measures adherence to Azure Security Benchmark recommendations.
Defender for Cloud supports hybrid and multi-cloud environments via Azure Arc and connectors for AWS/GCP.
Vulnerability assessment for VMs runs weekly by default and uses either Qualys or Microsoft's built-in scanner.
Defender for Cloud sends security alerts to Microsoft Sentinel for correlation and incident response.
Azure Security Benchmark is the default policy initiative assigned by Defender for Cloud.
Not all recommendations can be remediated automatically; only those with 'DeployIfNotExists' policy effect.
Microsoft Defender for Cloud Apps is a CASB that protects SaaS applications and discovers shadow IT.
The free tier of Defender for Cloud provides only CSPM; threat detection requires the Standard tier.
Defender for Cloud integrates with Azure Policy to enforce security configurations across resources.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Cloud
Primary tool for CSPM and CWP
Provides secure score, recommendations, and vulnerability assessment
Generates security alerts for cloud workloads
Integrates with Azure Policy for configuration enforcement
Focuses on cloud infrastructure security
Microsoft Sentinel
Cloud-native SIEM/SOAR
Ingests logs and alerts from multiple sources (Azure, Office 365, on-prem)
Provides advanced threat hunting, analytics, and incident response
Can correlate alerts from Defender for Cloud with other data
Focuses on overall security event management
Defender for Cloud Free Tier
Free for all Azure subscriptions
Provides CSPM only (secure score, recommendations)
No threat detection or vulnerability assessment
No access to advanced features like just-in-time VM access
Limited to Azure resources
Defender for Cloud Standard Tier
Paid per resource (e.g., per VM, per database)
Includes CSPM plus CWP (threat detection, vulnerability scanning)
Provides adaptive application controls, file integrity monitoring
Supports hybrid and multi-cloud via Azure Arc
Includes regulatory compliance dashboards
Mistake
Microsoft Defender for Cloud only works for Azure resources.
Correct
Defender for Cloud supports hybrid and multi-cloud environments via Azure Arc. You can connect on-premises servers, AWS EC2 instances, and GCP VMs to Defender for Cloud for unified security management.
Mistake
Secure Score is a measure of how secure you are from active threats.
Correct
Secure Score measures your security posture based on compliance with Azure Security Benchmark recommendations. It does not directly measure active threats; threat detection is separate via alerts.
Mistake
Defender for Cloud automatically remediates all security issues.
Correct
Only recommendations that have a 'DeployIfNotExists' policy effect can be automatically remediated. Most recommendations require manual remediation or custom automation (e.g., Logic Apps).
Mistake
Vulnerability scanning in Defender for Cloud runs continuously.
Correct
The built-in vulnerability assessment scans VMs weekly by default. For container images, scanning is on-demand or triggered by new images pushed to ACR.
Mistake
Microsoft Sentinel replaces Defender for Cloud.
Correct
Sentinel is a SIEM/SOAR that ingests logs and alerts from multiple sources, including Defender for Cloud. Defender for Cloud provides the vulnerability management and threat detection for cloud workloads; Sentinel provides correlation and incident response across the entire environment.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection (CWP) tool that provides secure score, recommendations, vulnerability assessment, and threat detection for cloud workloads. Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests logs and alerts from multiple sources (including Defender for Cloud) to provide advanced threat detection, hunting, and incident response across the entire organization. In short, Defender for Cloud focuses on securing cloud infrastructure, while Sentinel focuses on security event management and response.
Secure Score is a numerical value (0-100%) that reflects your security posture based on how many security recommendations you have implemented. Each recommendation has a maximum score contribution (e.g., 10 points). The score is calculated as the sum of achieved points divided by the total possible points. For example, if a recommendation has 10 possible points and you have 5 healthy resources out of 10, you get 5 points. Remediating recommendations increases your score. The score is updated every 24 hours.
Yes, Defender for Cloud can protect on-premises servers by using Azure Arc. You install the Azure Arc agent on the on-premises server, which connects it to Azure. Then you enable Defender for Cloud on the server, allowing you to view security recommendations, vulnerability assessments, and threat alerts for that server alongside your Azure resources.
A recommendation is a proactive suggestion to improve your security posture, such as 'Enable MFA' or 'Install endpoint protection'. Recommendations are based on policy compliance. An alert is a notification about a detected threat or suspicious activity, such as 'Malware detected' or 'Brute force attack'. Alerts are reactive and indicate an ongoing or past security event. Both are important, but they serve different purposes.
The built-in vulnerability assessment solution (Qualys or Microsoft scanner) scans VMs weekly by default. You can trigger an on-demand scan via the Azure portal or API. The scan checks for missing OS patches, weak configurations, and known CVEs. Results are available in the 'Vulnerabilities' blade of Defender for Cloud.
Azure Security Benchmark is a set of security best practices and recommendations for securing Azure workloads. It is based on common compliance frameworks like CIS, NIST, and PCI DSS. Defender for Cloud uses the Azure Security Benchmark as its default policy initiative, and your Secure Score measures compliance with these benchmarks.
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility and control over SaaS applications. It discovers shadow IT, assesses the risk of apps, enforces policies (e.g., session controls, data loss prevention), and detects anomalous behavior. It integrates with Defender for Cloud to provide a unified security experience.
You've just covered Threat and Vulnerability Management — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?