🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 2
Domain 2 — Module 2 of 10 20%
14 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 2: Respond to Security Incidents Premium ⏱ ~12 min read

Purview & Defender for Cloud Threats

Not all threats come from endpoints. Learn how to investigate compromised entities flagged by Microsoft Purview and security alerts from Microsoft Defender for Cloud workload protections.

Threats beyond the endpoint

☕ Simple explanation

Not every security incident starts with a virus on a laptop. Sometimes it is an employee downloading thousands of confidential files before their resignation (Purview detects this). Sometimes it is an attacker exploiting a misconfigured Azure VM (Defender for Cloud detects this).

Microsoft Purview watches for data-related threats — insider risk, DLP violations, and compromised entities that leak or abuse sensitive data. Defender for Cloud watches your Azure (and multi-cloud) workloads — VMs, databases, storage accounts, containers — for security threats and misconfigurations.

Both send alerts into the unified Defender XDR incident queue, and as a SOC analyst, you investigate them alongside endpoint and identity threats.

Microsoft Purview generates security signals through Insider Risk Management, DLP policy violations, and data classification analytics. When Purview identifies a compromised entity or risky data activity, it creates alerts that surface in Defender XDR for SOC investigation.

Microsoft Defender for Cloud provides cloud workload protection across Azure, AWS, and GCP. Its protection plans (Defender for Servers, Defender for SQL, Defender for Storage, Defender for Containers, Defender for Key Vault, etc.) generate security alerts for threats targeting cloud resources. These alerts also integrate into the Defender XDR unified incident queue.

Microsoft Purview threat investigation

What Purview detects

SignalExampleInvestigation Focus
Insider risk alertsEmployee downloading sensitive files to USB before resignationUser activity timeline, file access patterns, HR context
DLP policy violationsCredit card numbers sent via external emailEmail content, sender intent, policy match details
Data classification anomaliesSudden spike in access to files labelled “Highly Confidential”Who accessed what, when, and from where
Compromised entityUser account accessing data from unusual location after credential theftAccount compromise indicators, session analysis

Investigation workflow

  1. Review the Purview alert in Defender XDR — what entity is flagged? What data was involved?
  2. Check the user’s risk profile — is this person flagged in Insider Risk Management?
  3. Examine data access — Content Explorer and Activity Explorer show exactly what the user accessed
  4. Correlate with identity signals — did the user also trigger Entra ID or Defender for Identity alerts?
  5. Determine intent — accidental (training issue), policy gap (oversharing), or malicious (insider threat)
  6. Remediate — block further access, revoke sessions, escalate to HR/Legal if needed
💡 Scenario: James investigates a Purview alert

James at Pacific Meridian receives an alert: “High-risk user activity — bulk file download.”

A departing employee downloaded 2,300 files labelled “Confidential — HR” from SharePoint to a personal USB drive over two days.

Investigation:

  • Insider Risk Management shows the user was flagged 3 weeks ago (resignation notice submitted)
  • Activity Explorer shows the downloads happened outside business hours
  • DLP logs show no external email or cloud upload — the data is on the USB

Response:

  • James escalates to HR and Legal (potential IP theft)
  • Disables the user’s account
  • Works with the facilities team to retrieve the USB before the employee’s last day
  • Creates a Purview alert policy to detect similar patterns for future departures

Classification: True Positive — Data theft/insider risk

Defender for Cloud workload protection

What Defender for Cloud protects

Protection PlanWhat It CoversExample Alerts
Defender for ServersAzure/on-prem/AWS VMsSuspicious process execution, cryptomining, reverse shell
Defender for SQLAzure SQL, SQL on VMsSQL injection, brute force, anomalous query patterns
Defender for StorageAzure Blob, Files, Data LakeMalware upload, unusual access patterns, anonymous access
Defender for ContainersAKS, container registriesVulnerable images, runtime threats, privileged container escape
Defender for Key VaultAzure Key VaultUnusual secret access, suspicious IP accessing keys
Defender for App ServiceAzure App ServiceWeb shell detection, suspicious outbound traffic

Investigation workflow

  1. Review the alert — what resource is affected? What was the suspicious activity?
  2. Check resource context — who owns it? What does it run? Is it internet-facing?
  3. Examine the timeline — when did the activity start? What happened before and after?
  4. Check for lateral movement — did the attacker pivot from this resource to others?
  5. Remediate — patch the vulnerability, isolate the resource, rotate credentials, review network security groups
💡 Scenario: Elena investigates a cloud alert

Elena at Atlas Bank receives: “Defender for SQL — Potential SQL injection on prod-payments-db.”

Investigation:

  • The alert shows a series of SQL queries with UNION SELECT and DROP TABLE patterns from an external IP
  • The application is a payment processing API exposed via Azure App Service
  • Defender for App Service also shows suspicious outbound connections from the same App Service instance

Response:

  • Elena adds the attacker’s IP to App Service access restrictions to block it immediately
  • Reviews SQL audit logs — the injection attempts failed (parameterised queries blocked them)
  • Checks for data exfiltration — no unauthorised data access confirmed
  • Recommends the dev team add a WAF (Web Application Firewall) in front of the API
  • Files the incident as True Positive — attempted SQL injection (blocked)
Purview watches people and data; Defender for Cloud watches infrastructure
FeaturePurview ThreatsDefender for Cloud Threats
FocusData and user behaviourCloud infrastructure and workloads
Threat typeInsider risk, DLP violations, data exfiltrationExternal attacks, misconfigurations, malware on cloud resources
Key dataUser activity, file access, email content, risk scoresResource logs, network flows, process execution, vulnerability scans
Investigation toolsActivity Explorer, Content Explorer, Insider Risk dashboardAlert timeline, resource map, security recommendations
RemediationBlock user, revoke sessions, escalate to HR/LegalPatch, isolate resource, rotate credentials, update NSGs
Question

What types of threats does Microsoft Purview surface for SOC investigation?

Click or press Enter to reveal answer

Answer

Insider risk alerts (departing employees, policy violations), DLP policy violations (sensitive data sent externally), data classification anomalies (unusual access to classified data), and compromised entities (accounts accessing data abnormally after credential theft).

Click to flip back
Question

Name three Defender for Cloud workload protection plans.

Click or press Enter to reveal answer

Answer

Defender for Servers (VM threats), Defender for SQL (injection, brute force), Defender for Storage (malware uploads, unusual access), Defender for Containers (vulnerable images, runtime threats), Defender for Key Vault (suspicious secret access), Defender for App Service (web shells).

Click to flip back
Question

A departing employee downloads 2,000 confidential files to a USB drive. Which Microsoft product detects this?

Click or press Enter to reveal answer

Answer

Microsoft Purview — specifically Insider Risk Management. It monitors user behaviour patterns (bulk downloads, USB usage, resignation triggers) and creates alerts for risky data activities.

Click to flip back
Knowledge Check

James sees a Purview alert: a user flagged for insider risk has downloaded 500 HR files to a USB drive outside business hours. The user submitted a resignation last week. What should James do first?
Knowledge Check

Elena sees a Defender for Cloud alert: 'Potential SQL injection on prod-payments-db.' SQL audit logs show the injection attempts were blocked by parameterised queries. How should she classify this?

🎬 Video coming soon

Next up: Data and cloud threats are covered. Now let’s tackle identity — compromised accounts from Entra ID and Defender for Identity alerts.

← Previous

Incident Triage: From Alert to Verdict

Next →

Identity Threats: Entra & Defender for Identity

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.