Responding to your first incident


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

An organization's incident response strategy determines its ability to deal with increasingly disruptive security incidents and cybercrime. While taking preventative measures is important, the ability to act quickly to contain, eradicate, and recover from detected incidents can minimize damage and business losses.

This incident response walkthrough shows how you, as part of a security operations (SecOps) team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:

  • Preparation of your security posture
  • For each incident:
    • Step 1: Triage and analysis
    • Step 2: Remediation (containment, eradication, and recovery)
    • Step 3: Post-incident review

A security incident is defined by National Institute of Standards and Technology (NIST) as "an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies."

Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a (SecOps) team's tasks and time.

Next step

The Remediate option in Respond to your first incident page

Make sure your organization and Microsoft 365 tenant is prepared for incident handling.

See also

Incident response guidance for Microsoft 365 Defender:

More examples of first incident responses:

Detailed incident response playbooks