AZ-500 Objective 4.3: Configure and Manage Threat Protection by Using Microsoft Defender for Cloud

Understanding Threat Protection in Defender for Cloud

Microsoft Defender for Cloud provides advanced threat protection across cloud workloads detecting and preventing attacks. Organizations face sophisticated threats including malware targeting cloud workloads, SQL injection attacks compromising databases, data exfiltration from storage accounts, cryptomining consuming compute resources, ransomware encrypting virtual machines, insider threats abusing privileged access, supply chain attacks through vulnerable dependencies, and misconfigurations exposing resources to internet exploitation. Traditional security tools struggled with cloud-native threats, lacked visibility into container environments, couldn't detect subtle anomalies in database access patterns, and provided reactive rather than proactive protection.

Defender for Cloud addresses these challenges through workload-specific protection plans providing specialized threat detection for each resource type. Servers protected by Defender for Endpoint integration detecting malware, fileless attacks, and suspicious processes, vulnerability assessment identifying missing patches, adaptive application controls preventing unauthorized software execution, just-in-time access reducing attack surface, and file integrity monitoring detecting tampering. Databases protected through SQL injection detection, anomalous query pattern identification, vulnerability assessment finding misconfigurations, and brute force attack prevention. Storage accounts protected with malware scanning on upload, sensitive data discovery preventing exposure, and anomalous access pattern detection indicating potential data exfiltration. Containers secured through image vulnerability scanning pre-deployment, runtime threat protection detecting breakout attempts, and Kubernetes configuration assessment. DevOps pipelines secured by infrastructure-as-code scanning before deployment, secret detection preventing credential exposure, and vulnerable dependency identification. This objective explores enabling and configuring workload protection services, implementing agentless vulnerability scanning, leveraging Defender Vulnerability Management for risk-based prioritization, and securing DevOps workflows with Defender for DevOps Security.

Enabling Workload Protection Services

Defender Plans Overview

Defender for Cloud offers multiple protection plans each specialized for specific workload types. Available plans: Defender for Servers protects virtual machines, VM scale sets, and Arc-enabled servers with endpoint protection, vulnerability assessment, and access controls. Defender for App Service protects web applications and APIs with code vulnerability scanning and runtime threat detection. Defender for Storage protects blob, file, and queue storage with malware scanning and anomalous access detection. Defender for SQL protects Azure SQL Database, SQL Managed Instance, and SQL on VMs with vulnerability assessment and SQL injection detection. Defender for open-source relational databases protects Azure Database for PostgreSQL, MySQL, and MariaDB. Defender for Cosmos DB protects NoSQL database with anomalous access detection. Defender for Containers protects AKS, ACR, ACI with image scanning and runtime protection. Defender for Key Vault monitors vault access patterns detecting suspicious operations. Defender for Resource Manager monitors control plane detecting suspicious management activities. Defender for DNS analyzes DNS queries detecting malicious domains and data exfiltration. Defender for DevOps protects GitHub, Azure DevOps, GitLab repositories with IaC and secret scanning.

Enable Defender plans: Navigate to Defender for Cloud → Environment settings → Select subscription → Defender plans tab shows all available plans with status (On/Off). Enable individual plans: Toggle switch for each plan → On. Enable all plans: Select all → On (comprehensive protection). Each plan displays monthly cost per resource and 30-day free trial for first-time enablement. Plan recommendations appear in Security recommendations when unprotected resources detected. Monitoring: Environment settings shows coverage percentage (protected vs total resources), alerts dashboard displays threats detected by enabled plans, workload protections shows plan-specific findings and configurations. Cost considerations: Plans charge per protected resource per month (Defender for Servers per VM, Defender for Storage per storage account, Defender for SQL per database), 30-day trial allows feature evaluation, disable plans for non-production resources if cost-constrained, pricing varies by region and commitment level, consolidated billing at subscription level. Best practices: Enable Defender plans for all production workloads, start with most critical resources (servers, databases containing sensitive data), leverage free trials to evaluate features, monitor monthly costs adjusting coverage as needed, enable all plans for comprehensive protection in high-security environments, document plan coverage decisions for compliance, regularly review plan effectiveness through alert analysis, integrate costs into security budget planning, disable plans only when alternative protections in place.

Defender for Servers Configuration

Plan 1 vs Plan 2 Features

Defender for Servers offers two tiers with different capabilities. Plan 1 (Foundational): Includes Microsoft Defender for Endpoint integration providing advanced endpoint detection and response (EDR), behavioral threat detection using machine learning, automated investigation and remediation, threat intelligence from Microsoft security graph, file and process analysis, network connection monitoring, security alerts for malware, suspicious activities, and exploitation attempts. Plan 1 sufficient for basic server protection with enterprise endpoint security. Plan 2 (Advanced): Includes all Plan 1 features plus vulnerability assessment (agentless or Qualys agent scanning identifying OS and application CVEs with remediation guidance), file integrity monitoring (tracks changes to critical files, registry, system directories alerting on unauthorized modifications), adaptive application controls (machine learning-based allowlisting blocking unauthorized applications with policy recommendations), just-in-time VM access (on-demand management port access reducing attack surface), Docker host hardening (CIS benchmark assessment for container hosts), network map (visualizes topology and traffic flows). Plan 2 recommended for production servers requiring comprehensive security controls.

Microsoft Defender for Endpoint integration: Automatically enabled when Defender for Servers activated. Deployment: Azure VM extension Microsoft.Azure.AzureDefenderForServers deployed automatically, Arc-enabled on-premises servers supported after Arc agent installation, unified endpoint protection across hybrid environments. Capabilities: Real-time threat detection (monitors processes, file operations, network connections, registry changes), behavioral analytics (detects fileless attacks, living-off-the-land techniques, suspicious PowerShell usage), automated response (isolates infected machines, kills malicious processes, blocks attack chains), threat hunting (advanced queries identifying sophisticated threats), integration with Microsoft 365 Defender for unified security operations. Alerts appear in Defender for Cloud security alerts dashboard. Vulnerability assessment: Two options—Microsoft Defender vulnerability management (agentless scanning using disk snapshots, no performance impact, powered by Microsoft threat intelligence database, 24-hour scan intervals) or Qualys (agent-based continuous monitoring, VM extension deployment required, detailed network vulnerability scanning). Enable: Defender for Cloud → Recommendations → Deploy vulnerability assessment solution → Select Microsoft Defender (recommended for most scenarios) → Deploy to subscription or selected VMs. Findings: Security recommendations show discovered vulnerabilities with severity (Critical, High, Medium, Low), CVE details, CVSS scores, affected software versions, remediation steps (update commands, patches, configuration changes), exploitability information (public exploits available, actively exploited in wild). Integration with Update Manager enables automated patch deployment.

Advanced Server Protection Features

File integrity monitoring (FIM): Tracks changes to critical system components detecting unauthorized modifications indicating compromise. Monitored items: Windows registry keys (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon), system files (C:\Windows\System32\drivers\), configuration files, application binaries, administrative tools. Linux monitored: /etc/passwd, /etc/group, /bin/, /sbin/, /boot/, /usr/bin/, /usr/sbin/. Configure: Defender for Cloud → Environment settings → Integrations → Log Analytics workspace → Advanced settings → File Integrity Monitoring → Enable → Add files/folders/registry keys to monitor. Changes logged: File content modifications, file creation/deletion, permissions changes, ownership changes, registry value modifications. Alerts: High-severity alert when critical system file modified, includes change details (before/after values, modification time, user account), investigate alerts to determine if legitimate administration or malicious tampering. Use cases: Detect rootkits modifying system binaries, identify configuration tampering, monitor application integrity, track administrative changes, detect ransomware encryption activities.

Adaptive application controls (AAC): Uses machine learning to create application allowlists preventing unauthorized software execution. Process: Defender analyzes running applications on VMs over time (1-2 weeks learning period), groups VMs with similar application patterns, recommends control policies listing approved applications, enforcement modes (Audit logs violations without blocking for testing, Enforce blocks unapproved applications). Configure: Defender for Cloud → Workload protections → Adaptive application controls → Shows VM groups with recommendations → Select group → Review recommended allowed applications → Apply policy → Choose Audit or Enforce mode. Allowed applications: Legitimate installed software, OS components, administrative tools, business applications. Violations: Alerts when unapproved applications execute (potential malware, unauthorized tools, shadow IT), includes process details (executable path, hash, digital signature, command line), investigate to determine if legitimate need or threat. Benefits: Prevents malware execution (blocks ransomware, cryptominers before damage), controls shadow IT (prevents users installing unauthorized software), reduces attack surface (only approved applications run), compliance (demonstrates application control for regulations). Maintenance: Regularly review and update allowed applications as business needs change, add new legitimate applications to allowlist, remove applications no longer needed, investigate repeated violations indicating systemic issues.

Just-in-time VM access (JIT): Reduces exposure by opening management ports only when needed for limited time. Traditional approach: RDP (3389) or SSH (22) open 24/7 in NSG increasing attack surface, constant scanning and brute force attempts from internet, high risk of compromise through stolen credentials or vulnerability exploitation. JIT approach: Management ports blocked by default in NSG, users request access specifying port, duration, source IP justification, access granted through temporary NSG rule modification, automatic rule removal after time expires. Configure: Defender for Cloud → Workload protections → Just-in-time VM access → Select VMs → Enable JIT on VMs → Configure protected ports (RDP 3389, SSH 22, WinRM 5985/5986, custom ports) → Set maximum request duration (hours, 3 hours typical) → Specify allowed source IPs (My IP, IP range, Any). Request access: User navigates to VM → Request access (Connect button triggers JIT if enabled) → Specify port, duration, source IP, justification → Auto-approved or requires approval based on RBAC → NSG rule added temporarily → Access granted → Rule removed automatically after duration. Benefits: Dramatically reduces attack surface (ports closed 99% of time), audit trail of all access requests with justification, prevents automated attacks (brute force, vulnerability scanners), meets compliance requirements for access controls. Best practices: Enable JIT on all internet-facing VMs with management ports, use My IP for source when possible (most restrictive), limit request duration (2-4 hours maximum), require justification for audit purposes, integrate with Privileged Identity Management for elevated access, monitor JIT requests for unusual patterns, educate users on JIT request process, test JIT before production deployment ensuring operational processes adapted.

Defender for Databases and Storage

SQL Protection and Vulnerability Assessment

Defender for SQL provides comprehensive database security. Enable: Environment settings → Defender plans → Databases → Azure SQL Databases On, SQL servers on machines On → Save. Protected resources: Azure SQL Database (single and elastic pools), SQL Managed Instance, SQL Server on Azure VMs, SQL Server on Arc-enabled servers. Features: Advanced threat protection monitors database activities detecting SQL injection attempts, anomalous database access from unusual locations, brute force authentication attacks, privilege escalation, data exfiltration patterns, suspicious application behavior. Vulnerability assessment scans database configuration identifying security weaknesses including missing encryption, excessive permissions, weak authentication, unpatched software, SQL Server misconfigurations, compliance violations. Alerts: SQL injection potential (unusual SQL queries with injection patterns), Access from unusual location (login from unexpected geography), Login from unusual principal (new or unusual account accessing database), Potential data exfiltration (unusually large data transfer), Brute force SQL credentials (repeated failed authentication attempts), Successful brute force attack (compromise after multiple attempts).

SQL vulnerability assessment: Configure on SQL server or database level. Setup: Navigate to SQL server/database → Microsoft Defender for Cloud → Configure vulnerability assessment → Provide storage account for scan results (stores findings and scan history) → Enable periodic recurring scans (weekly recommended) → Configure email notifications for administrators → Save. Scan runs automatically on schedule, manually trigger scan for immediate assessment. Findings: Security Center recommendations show discovered vulnerabilities categorized by severity, impact, and compliance standards. Common findings: Transparent Data Encryption not enabled (data not encrypted at rest), Auditing disabled on SQL server (no audit trail for security events), Firewall rule allows all Azure services (overly permissive network access), SQL Server authentication enabled (less secure than Azure AD authentication), Principals with excessive permissions (users granted more access than needed), Databases without Advanced Data Security. Remediation: Each finding includes SQL script for remediation (example: ALTER DATABASE [MyDB] SET ENCRYPTION ON;), step-by-step instructions, impact assessment (performance considerations, downtime requirements), links to documentation. Track remediation over time with compliance percentage and resolved vulnerabilities. Benefits: Proactive security (discover issues before exploitation), compliance (meet database security standards), remediation guidance (specific fixes not general recommendations), continuous monitoring (detect new vulnerabilities as introduced), risk reduction (address high-impact issues first based on severity).

Storage and Cosmos DB Protection

Defender for Storage protects blob, file, and queue storage. Enable: Environment settings → Defender plans → Storage → On → Configure: Activity monitoring (anomalous access patterns), Malware scanning (on-upload scanning for blob storage, configurable per-account or subscription-wide, hash reputation checks), Sensitive data threat detection (identifies PII and credentials in stored data). Malware scanning: Real-time scanning as files uploaded to blob storage, Microsoft threat intelligence database checks file signatures, malicious files tagged with metadata indicating detection, configurable response (log alert only or prevent blob access), per-blob scanning limits (file size, storage account opt-in/opt-out). Configure per storage account: Storage account → Security → Microsoft Defender for Storage → Enable → Malware scanning settings → Cap (max GB scanned per month to control costs) → Sensitive data scanning → Save. Use cases: User file uploads (document sharing, profile pictures, attachments), backup storage (prevent malicious backups), public-facing storage (downloads, media files). Alerts: Malware uploaded to storage (malicious file detected and blocked), Potential malware uploaded (suspicious file requiring investigation), Unusual access pattern (atypical blob access volume or timing), Access from Tor exit node (anonymous access potentially malicious), Suspicious authentication mechanism (access using stolen SAS token), High volume data download (potential data exfiltration).

Sensitive data discovery: Machine learning identifies sensitive information in blobs including Personally Identifiable Information (names, addresses, emails, phone numbers, social security numbers), financial data (credit card numbers, bank accounts), health information (medical record numbers, HIPAA-covered data), credentials (API keys, passwords, connection strings, certificates, private keys). Alerts when sensitive data detected in risky configurations (publicly accessible containers, overly permissive SAS tokens, storage accounts without encryption). Recommendations: Restrict public access, implement Azure AD authentication, enable encryption with customer-managed keys, configure network restrictions, apply access policies. Defender for Cosmos DB: Protects Cosmos DB accounts. Enable: Environment settings → Databases → Azure Cosmos DB → On. Features: Anomalous access pattern detection (unusual query volumes, access from unexpected locations), potential data exfiltration (large data transfers), suspicious API usage (administrative operations from unusual clients), crypto-mining detection (resource consumption patterns indicating mining), authentication anomalies (access with compromised keys). Alerts: SQL injection attempt on Cosmos DB API, Access from suspicious IP, Anomalous database activity, Potential data exfiltration from Cosmos DB, Crypto-mining activity. Best practices: Enable Defender for all storage accounts containing sensitive data or user uploads, configure malware scanning on accounts accepting uploads, implement sensitive data discovery on accounts with PII, restrict storage access using Private Endpoints where possible, use Azure AD authentication instead of storage keys, enable soft delete protecting against ransomware, regularly review and remediate security findings, set up alert notifications for High severity storage threats, encrypt sensitive data before storing (defense-in-depth), implement least privilege access with RBAC and SAS tokens, monitor access patterns for anomalies beyond automated detection.

Agentless Scanning for Virtual Machines

Implementing Agentless Vulnerability Assessment

Agentless scanning provides vulnerability assessment without agent installation overhead. Architecture: Snapshot-based scanning creates temporary disk snapshots incrementally (only changed blocks copied), snapshots transferred to isolated scanning environment (air-gapped from production networks), Microsoft Defender vulnerability assessment engine scans OS and installed software, results uploaded to Defender for Cloud, snapshots deleted immediately (no persistent storage), process repeats on schedule (default 24 hours). Benefits: No agent deployment (eliminates agent installation, configuration, updates, troubleshooting), zero performance impact on VMs (scanning in separate environment), comprehensive coverage (all VMs automatically included), reduced operational overhead (no agent management), support for Azure VMs and Arc-enabled servers. Enable: Included with Defender for Servers Plan 2, automatically enabled when Plan 2 activated. Configuration: Environment settings → Subscription → Settings & monitoring → Agentless scanning for machines → Status On (default) → Configure exclusions (specific VMs, resource groups, or tags to exclude) → Scan frequency (24 hours default, not configurable). Supported platforms: Windows Server 2012 R2, 2016, 2019, 2022, Linux distributions (RHEL 7+, Ubuntu 16.04+, Debian 9+, CentOS 7+, SLES 12+, Amazon Linux 2), Azure VMs (all generations and sizes), Arc-enabled servers (on-premises, other clouds).

Scan process: Scheduler triggers scan for VM (24-hour interval from last scan), Azure creates incremental disk snapshot (typically completes in minutes), snapshot replicated to scanning infrastructure (Microsoft-managed environment), vulnerability assessment engine: Inventories installed software (OS packages, applications, libraries, frameworks), queries vulnerability databases (Microsoft threat intelligence, CVE databases, vendor advisories), identifies vulnerabilities matching installed software versions, calculates severity and exploitability scores, results uploaded to Defender for Cloud Security recommendations, snapshot deleted (no data retained), next scan scheduled. Findings: Recommendations appear in Defender for Cloud grouped by severity, include CVE identifier, affected software package/version, vulnerability description, CVSS score (severity rating), exploitability information (public exploits available, actively exploited, exploit complexity), remediation steps (specific commands to update package, patches to apply, configuration changes), affected VMs list, fix version. Example: Recommendation "Vulnerabilities in OS should be remediated" → Details → CVE-2024-1234 Apache HTTP Server 2.4.41 → Remote code execution vulnerability → CVSS 9.8 Critical → Public exploit available → Remediation: Update Apache to 2.4.52 using "apt update && apt upgrade apache2" → 15 VMs affected.

Exclusions and limitations: Exclude VMs from agentless scanning when regulatory requirements prevent snapshots (some compliance frameworks restrict disk snapshots), highly dynamic workloads where frequent snapshots impact performance (rarely needed as snapshots incremental), specific VMs requiring alternative scanning methods. Configure exclusions: Environment settings → Agentless scanning → Exclusions → Add → Select exclusion method (tags, resource groups, specific VMs) → Save. Limitations: 24-hour scan frequency (not real-time, 24-hour window between vulnerability introduction and detection), OS and application vulnerabilities only (no network vulnerability scanning, application-layer web vulnerabilities not detected), snapshot supported regions (most Azure regions, check documentation for Arc server support), snapshot permissions required (subscription Contributor or specific snapshot creation permissions). Agent-based alternative: Qualys vulnerability assessment agent deployed as VM extension when agentless insufficient. Benefits: Continuous monitoring (real-time vulnerability detection vs 24-hour intervals), network vulnerability scanning (identifies network services, open ports, protocol vulnerabilities), more detailed findings (includes network layer, some application vulnerabilities), scheduled vs continuous. Deploy: Recommendations → Deploy vulnerability assessment solution → Select Qualys → Deploy extension to VMs. Best practices: Use agentless as default (lowest operational overhead, adequate for most scenarios), supplement with agent-based for critical systems requiring continuous monitoring, monitor scan coverage ensuring all VMs scanned successfully (check for failed scans in logs), investigate scan failures (typically permissions or networking issues), prioritize remediation by severity and exploitability (Critical and High with public exploits first), integrate with Update Manager for automated patching, exclude VMs only when necessary (document justification), regular vulnerability trending (track new vs remediated over time), set remediation SLAs based on severity (Critical 7 days, High 30 days, Medium 90 days), combine with runtime threat protection (address vulnerabilities proactively, detect exploitation attempts reactively).

Microsoft Defender Vulnerability Management

Risk-Based Vulnerability Prioritization

Defender Vulnerability Management provides comprehensive vulnerability assessment with risk-based prioritization. Overview: Built into Defender for Servers Plan 2, agentless vulnerability assessment automatically enabled, risk-based prioritization (beyond CVSS scores considering exploitability, threat intelligence, asset criticality), software inventory tracking all installed applications, integration with Update Manager for patch deployment, remediation tracking with ownership and timelines. Dashboard: Defender for Cloud → Workload protections → Vulnerability assessment → Overall exposure score (risk-weighted metric 0-1000+), top vulnerable assets, trending data (new vulnerabilities discovered, remediated vulnerabilities, average remediation time), software inventory summary. Exposure score: Calculates risk combining vulnerability severity (Critical, High, Medium, Low CVSS scores weighted), exploitability (public exploit code increases score, actively exploited vulnerabilities highest priority, exploit complexity considered), asset importance (production servers higher weight than dev/test, critical applications prioritized), threat intelligence (Microsoft security research on emerging threats, zero-day tracking), exploitable attack surface (internet-facing systems higher risk). Example: VM with Critical RCE vulnerability (CVSS 9.8) + public exploit available + production system + internet-facing = exposure score 850 (very high priority).

Vulnerability findings: Defender for Cloud recommendations show vulnerabilities. View options: By resource (shows vulnerable VMs with vulnerability count), by vulnerability (shows specific CVEs with affected VM count). Details include: CVE identifier (CVE-2024-1234), title (Apache HTTP Server Remote Code Execution), description (detailed vulnerability explanation), severity (Critical, High, Medium, Low), CVSS score (0-10 numerical rating), exploitability (Weaponization—exploits available publicly, Exploitation in wild—actively targeted by attackers, Proof-of-concept—only PoC code exists, No known exploit), affected software (Apache HTTP Server version 2.4.41), fixed in version (2.4.52), vulnerability published date, discovery date in environment, remediation recommendation (specific update commands), affected assets list. Software inventory: Complete inventory of installed software across all scanned VMs. Access: Vulnerability assessment → Software inventory tab. Information: Software name, publisher, version, installation date, number of VMs with software installed, known vulnerabilities count, latest available version, outdated indicator (yes/no), licensing information (for some software). Use cases: Identify outdated software requiring updates, discover Shadow IT (unauthorized software installations), track software standardization across VMs, license compliance verification, plan software upgrades based on vulnerability exposure.

Remediation and Update Management

Remediation workflow: Security recommendations provide specific remediation steps for each vulnerability. Manual remediation: Follow recommendation instructions (commands to run, patches to apply, configuration changes), verify fix by re-running scan, mark as resolved or wait for automatic re-scan validation. Automated remediation: Update Manager integration enables scheduled patching. Configure: Azure Update Manager → Assessment schedules → Create schedule (daily, weekly, monthly) → Select VMs → Configure maintenance windows → Save. Patch deployment: Update Manager → Deployment schedules → Create → Select VMs → Patch classification (Critical, Security, Updates) → Configure approval workflow (automatic or manual approval), Maintenance window (schedule time, maximum duration, reboot behavior), install patches, reboot if required, validate deployment. Tracks deployment status showing successful/failed installations. Remediation tracking: Assign vulnerabilities to owners (security team, IT operations, application teams), set remediation deadlines (based on severity—Critical 7 days, High 30 days, Medium 90 days), track progress to completion, measure remediation velocity (average time to fix), SLA compliance monitoring (percentage meeting deadlines). Metrics: Time to remediate by severity, top vulnerable assets (focus improvement efforts), remediation velocity trend (improving or degrading), percentage of vulnerabilities exceeding SLA.

Vulnerability exemptions: Create exemptions when fixes not immediately possible or vulnerability not exploitable in environment. Exemption categories: Risk accepted (business decision accepting vulnerability risk, documented with justification and approval), Compensating control (alternative security control mitigates risk—network isolation, WAF protection, IDS monitoring), Fix scheduled (remediation planned but not yet completed, temporary exemption until maintenance window). Create exemption: Select vulnerability → Exempt → Category (select appropriate), Justification (document reason, approval, compensating controls), Expiration date (maximum 90 days recommended, forces re-evaluation), Owner (person responsible for re-assessment) → Create. Tracked separately: Exemptions dashboard shows all exempted vulnerabilities with justification and expiration, alerts on expired exemptions requiring renewal or remediation, audit trail for compliance. Best practices: Enable Defender for Servers Plan 2 for comprehensive vulnerability management, prioritize by exposure score (risk-based) not just CVSS (severity-based), focus on weaponized vulnerabilities (public exploits) for fastest risk reduction, use Update Manager for automated patching reducing time to remediate, regularly review software inventory removing unnecessary software, implement baseline hardening reducing vulnerability introduction, set and track remediation SLAs by severity, use exemptions sparingly with clear documentation, conduct quarterly vulnerability trending analysis, integrate vulnerability data into change management planning maintenance windows, educate teams on vulnerability risk beyond scores (exploitability more important than CVSS alone), combine with threat detection (vulnerabilities addressed proactively, exploitation attempts detected and blocked), measure and report on vulnerability management metrics (executive dashboards showing posture improvements).

Defender for DevOps Security

Connecting Source Code Repositories

Defender for DevOps extends security to development workflows. Supported platforms: GitHub (GitHub.com public and private repositories, GitHub Enterprise Server), Azure DevOps (Azure Repos, Azure Pipelines integration), GitLab (GitLab.com SaaS, self-hosted GitLab Community/Enterprise editions). Capabilities: Infrastructure-as-code security (scans ARM templates, Bicep, Terraform, Kubernetes YAML for misconfigurations), secret scanning (detects hardcoded credentials, API keys, certificates), dependency scanning (identifies vulnerable open-source libraries, license compliance), code quality assessment (security anti-patterns, injection vulnerabilities). Enable: Defender for Cloud → Environment settings → Add environment → DevOps → Select platform. GitHub connection: Authorize Defender for Cloud (install Microsoft Security DevOps GitHub application), authenticate with GitHub account (admin permissions required for organization), select repositories to monitor (all repositories, specific repositories, by organization/team), configure scan triggers (on push to main, pull requests, scheduled scans), webhook created automatically for real-time scanning. Permissions: Repository read access, metadata read, create issues/alerts, read GitHub Advanced Security findings if enabled. GitHub Advanced Security integration: Combines findings from GitHub Advanced Security and Defender for DevOps in unified view.

Azure DevOps connection: Install Microsoft Security DevOps Azure DevOps extension (from marketplace), create service connection (Project Settings → Service connections → New → Microsoft Defender for DevOps), authenticate and authorize, select Azure DevOps organization and projects, configure repository scanning (all repos, selected repos, by project), integrate with Azure Pipelines (add security scan tasks to pipeline YAML), configure build validation (fail builds on Critical/High findings if desired). Permissions: Project Collection Reader (view projects and repos), Build Administrator (integrate with pipelines), Project Administrator (full configuration). Pipeline integration: Add YAML task to pipeline: - task: MicrosoftSecurityDevOps@1
  displayName: 'Run Microsoft Security DevOps'. Scans code on each pipeline run with findings available in Defender for Cloud and Azure DevOps. GitLab connection: Create personal access token or OAuth application (api scope, read_repository, read_user), provide GitLab instance URL (gitlab.com or self-hosted), authenticate, select groups and projects to monitor, configure scan triggers (merge requests, scheduled), webhook created for real-time scanning. Permissions: API access, read repository, create issues. Self-hosted GitLab: Requires network connectivity from GitLab to Azure (HTTPS outbound), Defender for Cloud connector installed as GitLab integration.

Security Scanning and Findings

Infrastructure-as-code scanning: Analyzes IaC templates before deployment preventing misconfigured resource creation. Scanned templates: ARM templates (Azure Resource Manager JSON), Bicep files (ARM template simplified syntax), Terraform configurations (.tf files), Kubernetes manifests (YAML deployments, services, ingress), Helm charts, CloudFormation templates (for AWS resources). Findings: Public blob storage configured (AllowBlobPublicAccess true), SQL database without auditing enabled, Virtual machine without disk encryption, NSG rule allowing 0.0.0.0/0 on port 3389, Storage account without HTTPS required, Key Vault without soft delete, missing required tags, weak encryption settings. Severity: Critical (immediate security risk—public storage with sensitive data), High (significant risk—missing encryption), Medium (best practice violations), Low (informational). Remediation: Specific code changes to fix issue, example: Change "allowBlobPublicAccess": true to "allowBlobPublicAccess": false, links to documentation and best practices, pull request annotations with suggested fixes.

Secret scanning: Detects credentials and secrets in code preventing exposure. Scanned content: Git commits (current and historical), Pull requests (before merge), Issue descriptions and comments. Detected secrets: Azure storage account keys and connection strings, SQL connection strings, Azure service principal credentials, API keys (Azure, AWS, GCP, third-party services), OAuth tokens, Private SSH keys, Certificates and private keys (.pfx, .pem files), Database passwords, Encryption keys. Detection methods: Pattern matching (regular expressions for credential formats), entropy analysis (high randomness indicates secrets), vendor-specific patterns (Azure, AWS formats). Alerts: High-severity alert in Defender for Cloud, notification to repository administrators, optionally block pull request merge until secret removed, tracked with secret location (file path, line number, commit hash), exposure duration. Remediation: Remove secret from code immediately, rotate secret (generate new key, update applications), scan commit history (check if secret in historical commits), force push removing history if necessary (or use git-filter-repo, BFG Repo-Cleaner), verify secret not used elsewhere. Prevention: Use Azure Key Vault for secrets (application retrieves at runtime), environment variables (don't commit .env files), CI/CD secret variables (Azure DevOps variable groups, GitHub secrets), managed identities eliminating credentials entirely.

Dependency scanning: Analyzes open-source libraries identifying vulnerabilities. Package manifests scanned: package.json (Node.js/npm), requirements.txt and Pipfile (Python/pip), pom.xml (Java/Maven), packages.config and .csproj (C#/NuGet), Gemfile (Ruby), go.mod (Go), Cargo.toml (Rust). Findings: Known CVEs in dependencies (e.g., Log4j 2.x RCE vulnerability CVE-2021-44228), outdated packages with security patches available, transitive dependencies (vulnerable libraries your dependencies use), license violations (GPL, copyleft licenses incompatible with commercial use), typosquatting (malicious packages with similar names). Details: Package name and version, vulnerability CVE, severity and CVSS score, affected versions, fixed version available, exploitability, remediation (upgrade to version X). Remediation workflow: Pull request created automatically with dependency updates (Dependabot, Renovate integration), manual update following recommendations, version pinning temporarily if breaking changes, alternative packages if maintainer abandoned. Best practices: Enable Defender for DevOps on all active repositories (prevent vulnerabilities from reaching production), configure pull request scanning (catch issues before merge), enforce PR blocking for Critical findings (prevent merging insecure code), implement pre-commit hooks (local scanning before push), regular dependency updates (monthly security patching), developer security training (secure coding practices, secret management), security champions in teams (promote security culture), integrate findings into sprint backlogs (prioritize security fixes), metrics tracking (remediation time, recurring issues, developer engagement), rotate secrets immediately if exposed (assume compromise), combine DevOps security with runtime protection (shift-left security in development, shift-right with runtime detection).

Exam Preparation Tips

Key Concepts to Master

• Workload protection: Enable Defender plans per workload type (Servers, Storage, SQL, Containers), 30-day free trial, per-resource pricing
• Defender for Servers: Plan 1 (Defender for Endpoint) vs Plan 2 (adds vulnerability assessment, FIM, AAC, JIT), agentless scanning default
• Server features: Vulnerability assessment (agentless 24-hour), file integrity monitoring (critical files), adaptive application controls (allowlisting), JIT access (on-demand ports)
• Defender for SQL: Vulnerability assessment (configuration scanning), threat detection (SQL injection, anomalous access), Configure per server/database
• Defender for Storage: Malware scanning (on-upload blob scanning), sensitive data discovery (PII detection), anomalous access detection
• Agentless scanning: Snapshot-based (no agent required), 24-hour intervals, OS and software vulnerabilities, Azure VMs and Arc servers
• Vulnerability Management: Risk-based prioritization (exposure score), software inventory, Update Manager integration, remediation tracking
• Defender for DevOps: GitHub, Azure DevOps, GitLab, IaC scanning (misconfigurations), secret detection (credentials), dependency scanning (CVEs)

Practice Questions

Hands-On Practice Lab

Lab Activities

Lab Outcomes

After completing this lab, you'll have hands-on experience configuring threat protection in Microsoft Defender for Cloud. You'll understand how to enable workload-specific Defender plans providing specialized protection, configure Defender for Servers Plan 2 with vulnerability assessment and JIT access, implement agentless scanning for VMs without operational overhead, configure SQL vulnerability assessment identifying database misconfigurations, and connect DevOps repositories for shift-left security. These practical skills demonstrate threat protection capabilities tested in AZ-500 exam and provide foundation for implementing comprehensive workload protection across Azure environments.

Frequently Asked Questions