Incident response overview

Incident response is the practice of investigating and remediating active attack campaigns on your organization. This is part of the security operations (SecOps) discipline and is primarily reactive in nature.

Incident response has the largest direct influence on the overall mean time to acknowledge (MTTA) and mean time to remediate (MTTR) that measure how well security operations are able to reduce organizational risk. Incident response teams heavily rely on good working relationships between threat hunting, intelligence, and incident management teams (if present) to actually reduce risk. See SecOps metrics for more information.

For more information on security operations roles and responsibilities, see Cloud SOC functions.

New-to-role resources

If you're new-to-role as a security analyst, see these resources to get you started.

Topic Resource
SecOps planning for incident response Incident response planning for preparing your organization for an incident.
SecOps incident response process Incident response process for best practices on responding to an incident.
Incident response workflow Example incident response workflow for Microsoft 365 Defender
Periodic security operations Example periodic security operations for Microsoft 365 Defender
Investigation for Microsoft Sentinel Incidents in Microsoft Sentinel
Investigation for Microsoft 365 Defender Incidents in Microsoft 365 Defender

Experienced security analyst resources

If you're an experienced security analyst, see these resources to quickly ramp up your SecOps team for Microsoft security services.

Topic Resource
Microsoft Sentinel How to investigate incidents
Microsoft Defender for Cloud (Azure resources) How to investigate alerts
Microsoft 365 Defender How to investigate incidents
Security operations establishment or modernization Azure Cloud Adoption Framework articles for SecOps and SecOps functions
Microsoft security best practices How to best use your SecOps center
Incident response playbooks Overview at

- Phishing
- Password spray
- App consent grant
SOC Process Framework Microsoft Sentinel
MSTICPy and Jupyter Notebooks Microsoft Sentinel

Blog series about SecOps within Microsoft

See this blog series about how the SecOps team at Microsoft works.


Simuland is an open-source initiative to deploy lab environments and end-to-end simulations that:

  • Reproduce well-known techniques used in real attack scenarios.
  • Actively test and verify the effectiveness of related Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel detections.
  • Extend threat research using telemetry and forensic artifacts generated after each simulation exercise.

Simuland lab environments provide use cases from a variety of data sources including telemetry from Microsoft 365 Defender security products, Microsoft Defender for Cloud, and other integrated data sources through Microsoft Sentinel data connectors.

In the safety of a trial or paid sandbox subscription, you can:

  • Understand the underlying behavior and functionality of adversary tradecraft.
  • Identify mitigations and attacker paths by documenting preconditions for each attacker action.
  • Expedite the design and deployment of threat research lab environments.
  • Stay up to date with the latest techniques and tools used by real threat actors.
  • Identify, document, and share relevant data sources to model and detect adversary actions.
  • Validate and tune detection capabilities.

The learnings from Simuland lab environment scenarios can then be implemented in your production environment and security processes.

See this overview of Simuland and the resources at the Simuland GitHub repository.

Incident response resources

Key Microsoft security resources

Resource Description
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts, practitioners, and defenders at Microsoft to empower people everywhere to defend against cyberthreats.
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft's cybersecurity capabilities and their integration with Microsoft cloud platforms such as Microsoft 365 and Microsoft Azure and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a security operation function.
Microsoft security best practices for security operations How to best use your SecOps center to move faster than the attackers targeting your organization.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for identity and device access, threat protection, and information protection.
Microsoft security documentation Additional security guidance from Microsoft.