Microsoft Security Solutions
Four altitudes over one estate
This is the largest domain on the exam, and the one where Microsoft's shared "Defender" brand does the most to mislead. The way through is a single idea: the four pages here are four different altitudes over the same estate, and each answers a different security question. Read them as one progression, prevent, then assess posture, then detect and respond, then correlate and automate. Azure Infrastructure Security is the prevent layer, the controls you place directly in the network path so a bad request is stopped before it reaches a resource. Azure Security Management is the posture layer, checking whether everything is configured securely before anything goes wrong. Microsoft Defender XDR (extended detection and response) is the detection-and-response layer, watching each attack surface for an attack already in progress. Microsoft Sentinel is the correlate-and-automate layer, the estate-wide system that ingests from all of the above and acts on it. The classic trap is treating these four pages, and the many services named "Defender", as one interchangeable pile; the altitude each occupies is exactly what tells them apart.
The domain unfolds in four steps
Read the four subtopics as a pipeline that a request, and then an attacker, travels through. First, Azure Infrastructure Security places preventive controls in the network path: Azure DDoS (distributed denial-of-service) Protection scrubs volumetric floods at the edge, Azure Firewall filters across your virtual networks while a network security group (NSG) filters within one, a web application firewall (WAF) catches layer-7 exploits, virtual network segmentation keeps workloads apart, Azure Bastion gives admins remote access without a public IP, and Azure Key Vault holds the secrets. Second, Azure Security Management steps back to posture: Microsoft Defender for Cloud runs cloud security posture management (CSPM), scoring how securely everything is configured and listing what to fix, with paid cloud workload protection (CWPP) plans layered on top. Third, Microsoft Defender XDR moves to live detection and response, one service per attack surface (endpoints, email and collaboration, on-premises identities, and SaaS apps), correlated into incidents in the Microsoft Defender portal. Fourth, Microsoft Sentinel sits above everything as the estate-wide SIEM (security information and event management) and SOAR (security orchestration, automation, and response), ingesting signals from every layer below plus third-party and on-premises sources and automating the response. In Zero Trust terms Sentinel is the seventh of the seven pillars, visibility, automation, and orchestration, where the signals from the other six are aggregated and acted on (Zero Trust depth). Reach for each in that order and every service on the page has one obvious home.
When the Defender name collides, ask what it protects
The instinct the exam rewards: when the "Defender" name appears and two answers both look plausible, ask what the thing protects and at what altitude, not which brand it carries. Two boundaries follow from that, and each is easy to miss because its subtopic teaches it from only one side. First, Microsoft Defender for Cloud is not part of Microsoft Defender XDR: Defender for Cloud protects Azure, hybrid, and multicloud resources and workloads (posture and workload protection for infrastructure), while Defender XDR protects endpoints, email, on-premises identities, and SaaS apps. They integrate but do not overlap, so a question about securing a subscription, a virtual machine, or overall cloud posture points to Defender for Cloud, and one about a compromised laptop or mailbox points to Defender XDR. Second, Microsoft Sentinel is not "the XDR portal", and Defender XDR is not a SIEM: Defender XDR detects and responds on specific surfaces, while Sentinel sits on top as the estate-wide SIEM and SOAR, ingesting XDR's incidents alongside everything else. The two can share one console in the Microsoft Defender portal (the unified security operations platform), but they answer different questions: XDR protects surfaces, Sentinel correlates the whole estate.
The domain's four stages, and which subtopic owns each
| Stage | The question it answers | Key Microsoft services | Drill into |
|---|---|---|---|
| Prevent | Is the request stopped before it reaches a resource? | Azure DDoS Protection, Azure Firewall, WAF, virtual network and NSG segmentation, Azure Bastion, Azure Key Vault | Azure Infrastructure Security |
| Assess posture | Is this configured securely, before anything happens? | Microsoft Defender for Cloud (CSPM, secure score) plus paid workload-protection plans | Azure Security Management |
| Detect and respond | Is an attack under way on this surface, and can we follow it across others? | Microsoft Defender XDR: Defender for Endpoint, Office 365, Identity, Cloud Apps | Microsoft Defender XDR |
| Correlate and automate | Can we see and act on the whole estate at once? | Microsoft Sentinel (SIEM plus SOAR) | Microsoft Sentinel |