Incident response overview
Incident response is the practice of investigating and remediating active attack campaigns on your organization. This is part of the security operations (SecOps) discipline and is primarily reactive in nature.
Incident response has the largest direct influence on the overall mean time to acknowledge (MTTA) and mean time to remediate (MTTR) that measure how well security operations are able to reduce organizational risk. Incident response teams heavily rely on good working relationships between threat hunting, intelligence, and incident management teams (if present) to actually reduce risk. See SecOps metrics for more information.
For more information on security operations roles and responsibilities, see Cloud SOC functions.
If you're new-to-role as a security analyst, see these resources to get you started.
|SecOps planning for incident response||Incident response planning for preparing your organization for an incident.|
|SecOps incident response process||Incident response process for best practices on responding to an incident.|
|Incident response workflow||Example incident response workflow for Microsoft 365 Defender|
|Periodic security operations||Example periodic security operations for Microsoft 365 Defender|
|Investigation for Microsoft Sentinel||Incidents in Microsoft Sentinel|
|Investigation for Microsoft 365 Defender||Incidents in Microsoft 365 Defender|
Experienced security analyst resources
If you're an experienced security analyst, see these resources to quickly ramp up your SecOps team for Microsoft security services.
|Microsoft Sentinel||How to investigate incidents|
|Microsoft Defender for Cloud (Azure resources)||How to investigate alerts|
|Microsoft 365 Defender||How to investigate incidents|
|Security operations establishment or modernization||Azure Cloud Adoption Framework articles for SecOps and SecOps functions|
|Microsoft security best practices||How to best use your SecOps center|
|Incident response playbooks||Overview at https://aka.ms/IRplaybooks
- Password spray
- App consent grant
|SOC Process Framework||Microsoft Sentinel|
|MSTICPy and Jupyter Notebooks||Microsoft Sentinel|
Blog series about SecOps within Microsoft
See this blog series about how the SecOps team at Microsoft works.
- Part 1 – Organization: Mission and Culture
- Part 2a – People: Teams, Tiers, and Roles
- Part 2b – People: Careers and Readiness
- Part 3a – Technology: SOC Tooling
- Part 3b – Technology: Day in life of an analyst
- Part 3c – A day in the life part 2 - Microsoft Security
- Part 3d – Zen and the art of threat hunting
Simuland is an open-source initiative to deploy lab environments and end-to-end simulations that:
- Reproduce well-known techniques used in real attack scenarios.
- Actively test and verify the effectiveness of related Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel detections.
- Extend threat research using telemetry and forensic artifacts generated after each simulation exercise.
Simuland lab environments provide use cases from a variety of data sources including telemetry from Microsoft 365 Defender security products, Microsoft Defender for Cloud, and other integrated data sources through Microsoft Sentinel data connectors.
In the safety of a trial or paid sandbox subscription, you can:
- Understand the underlying behavior and functionality of adversary tradecraft.
- Identify mitigations and attacker paths by documenting preconditions for each attacker action.
- Expedite the design and deployment of threat research lab environments.
- Stay up to date with the latest techniques and tools used by real threat actors.
- Identify, document, and share relevant data sources to model and detect adversary actions.
- Validate and tune detection capabilities.
The learnings from Simuland lab environment scenarios can then be implemented in your production environment and security processes.
Incident response resources
- Planning for your SOC
- Process for incident response process recommendations and best practices
- Playbooks for detailed guidance on responding to common attack methods
- Microsoft 365 Defender incident response
- Microsoft Defender for Cloud (Azure)
- Microsoft Sentinel incident response
Key Microsoft security resources
|2021 Microsoft Digital Defense Report||A report that encompasses learnings from security experts, practitioners, and defenders at Microsoft to empower people everywhere to defend against cyberthreats.|
|Microsoft Cybersecurity Reference Architectures||A set of visual architecture diagrams that show Microsoft's cybersecurity capabilities and their integration with Microsoft cloud platforms such as Microsoft 365 and Microsoft Azure and third-party cloud platforms and apps.|
|Minutes matter infographic download||An overview of how Microsoft's SecOps team does incident response to mitigate ongoing attacks.|
|Azure Cloud Adoption Framework security operations||Strategic guidance for leaders establishing or modernizing a security operation function.|
|Microsoft security best practices for security operations||How to best use your SecOps center to move faster than the attackers targeting your organization.|
|Microsoft cloud security for IT architects model||Security across Microsoft cloud services and platforms for identity and device access, threat protection, and information protection.|
|Microsoft security documentation||Additional security guidance from Microsoft.|