Ask Downloads
Domain 2 β€” Module 2 of 10 20%
14 of 28 overall
Domain 2: Respond to Security Incidents Free ⏱ ~12 min read

Purview & Defender for Cloud Threats

Not all threats come from endpoints. Learn how to investigate compromised entities flagged by Microsoft Purview and security alerts from Microsoft Defender for Cloud workload protections.

Threats beyond the endpoint

Simple explanation

Not every security incident starts with a virus on a laptop. Sometimes it is an employee downloading thousands of confidential files before their resignation (Purview detects this). Sometimes it is an attacker exploiting a misconfigured Azure VM (Defender for Cloud detects this).

Microsoft Purview watches for data-related threats β€” insider risk, DLP violations, and compromised entities that leak or abuse sensitive data. Defender for Cloud watches your Azure (and multi-cloud) workloads β€” VMs, databases, storage accounts, containers β€” for security threats and misconfigurations.

Both send alerts into the unified Defender XDR incident queue, and as a SOC analyst, you investigate them alongside endpoint and identity threats.

Microsoft Purview threat investigation

What Purview detects

SignalExampleInvestigation Focus
Insider risk alertsEmployee downloading sensitive files to USB before resignationUser activity timeline, file access patterns, HR context
DLP policy violationsCredit card numbers sent via external emailEmail content, sender intent, policy match details
Data classification anomaliesSudden spike in access to files labelled β€œHighly Confidential”Who accessed what, when, and from where
Compromised entityUser account accessing data from unusual location after credential theftAccount compromise indicators, session analysis

Investigation workflow

  1. Review the Purview alert in Defender XDR β€” what entity is flagged? What data was involved?
  2. Check the user’s risk profile β€” is this person flagged in Insider Risk Management?
  3. Examine data access β€” Content Explorer and Activity Explorer show exactly what the user accessed
  4. Correlate with identity signals β€” did the user also trigger Entra ID or Defender for Identity alerts?
  5. Determine intent β€” accidental (training issue), policy gap (oversharing), or malicious (insider threat)
  6. Remediate β€” block further access, revoke sessions, escalate to HR/Legal if needed
Scenario: James investigates a Purview alert

James at Pacific Meridian receives an alert: β€œHigh-risk user activity β€” bulk file download.”

A departing employee downloaded 2,300 files labelled β€œConfidential β€” HR” from SharePoint to a personal USB drive over two days.

Investigation:

  • Insider Risk Management shows the user was flagged 3 weeks ago (resignation notice submitted)
  • Activity Explorer shows the downloads happened outside business hours
  • DLP logs show no external email or cloud upload β€” the data is on the USB

Response:

  • James escalates to HR and Legal (potential IP theft)
  • Disables the user’s account
  • Works with the facilities team to retrieve the USB before the employee’s last day
  • Creates a Purview alert policy to detect similar patterns for future departures

Classification: True Positive β€” Data theft/insider risk

Defender for Cloud workload protection

What Defender for Cloud protects

Protection PlanWhat It CoversExample Alerts
Defender for ServersAzure/on-prem/AWS VMsSuspicious process execution, cryptomining, reverse shell
Defender for SQLAzure SQL, SQL on VMsSQL injection, brute force, anomalous query patterns
Defender for StorageAzure Blob, Files, Data LakeMalware upload, unusual access patterns, anonymous access
Defender for ContainersAKS, container registriesVulnerable images, runtime threats, privileged container escape
Defender for Key VaultAzure Key VaultUnusual secret access, suspicious IP accessing keys
Defender for App ServiceAzure App ServiceWeb shell detection, suspicious outbound traffic

Investigation workflow

  1. Review the alert β€” what resource is affected? What was the suspicious activity?
  2. Check resource context β€” who owns it? What does it run? Is it internet-facing?
  3. Examine the timeline β€” when did the activity start? What happened before and after?
  4. Check for lateral movement β€” did the attacker pivot from this resource to others?
  5. Remediate β€” patch the vulnerability, isolate the resource, rotate credentials, review network security groups
Scenario: Elena investigates a cloud alert

Elena at Atlas Bank receives: β€œDefender for SQL β€” Potential SQL injection on prod-payments-db.”

Investigation:

  • The alert shows a series of SQL queries with UNION SELECT and DROP TABLE patterns from an external IP
  • The application is a payment processing API exposed via Azure App Service
  • Defender for App Service also shows suspicious outbound connections from the same App Service instance

Response:

  • Elena adds the attacker’s IP to App Service access restrictions to block it immediately
  • Reviews SQL audit logs β€” the injection attempts failed (parameterised queries blocked them)
  • Checks for data exfiltration β€” no unauthorised data access confirmed
  • Recommends the dev team add a WAF (Web Application Firewall) in front of the API
  • Files the incident as True Positive β€” attempted SQL injection (blocked)
Purview watches people and data; Defender for Cloud watches infrastructure
FeaturePurview ThreatsDefender for Cloud Threats
FocusData and user behaviourCloud infrastructure and workloads
Threat typeInsider risk, DLP violations, data exfiltrationExternal attacks, misconfigurations, malware on cloud resources
Key dataUser activity, file access, email content, risk scoresResource logs, network flows, process execution, vulnerability scans
Investigation toolsActivity Explorer, Content Explorer, Insider Risk dashboardAlert timeline, resource map, security recommendations
RemediationBlock user, revoke sessions, escalate to HR/LegalPatch, isolate resource, rotate credentials, update NSGs
Question

What types of threats does Microsoft Purview surface for SOC investigation?

Click or press Enter to reveal answer

Answer

Insider risk alerts (departing employees, policy violations), DLP policy violations (sensitive data sent externally), data classification anomalies (unusual access to classified data), and compromised entities (accounts accessing data abnormally after credential theft).

Click to flip back
Question

Name three Defender for Cloud workload protection plans.

Click or press Enter to reveal answer

Answer

Defender for Servers (VM threats), Defender for SQL (injection, brute force), Defender for Storage (malware uploads, unusual access), Defender for Containers (vulnerable images, runtime threats), Defender for Key Vault (suspicious secret access), Defender for App Service (web shells).

Click to flip back
Question

A departing employee downloads 2,000 confidential files to a USB drive. Which Microsoft product detects this?

Click or press Enter to reveal answer

Answer

Microsoft Purview β€” specifically Insider Risk Management. It monitors user behaviour patterns (bulk downloads, USB usage, resignation triggers) and creates alerts for risky data activities.

Click to flip back
Knowledge Check

James sees a Purview alert: a user flagged for insider risk has downloaded 500 HR files to a USB drive outside business hours. The user submitted a resignation last week. What should James do first?
Knowledge Check

Elena sees a Defender for Cloud alert: 'Potential SQL injection on prod-payments-db.' SQL audit logs show the injection attempts were blocked by parameterised queries. How should she classify this?

Next up: Data and cloud threats are covered. Now let’s tackle identity β€” compromised accounts from Entra ID and Defender for Identity alerts.