Get Started Free

3.5 Notifications, RBAC, and Exam Relevance

50 minutes · Module 3 · Free

Notification Rules

You should not be checking the incident queue every 5 minutes. Notification rules push alerts to you through email or Teams when specific conditions are met — high-severity incidents, incidents involving VIP users, or incidents from specific products.

Setting up effective notifications

What to notify on:

  • All high-severity incidents — these require immediate attention regardless of time of day
  • Any incident involving accounts on your VIP watchlist
  • Any incident classified as “Active compromise” by attack disruption

What NOT to notify on:

  • Every new incident regardless of severity — this creates notification fatigue identical to alert fatigue
  • Informational severity alerts — these are awareness items, not action items
  • Alerts you have already suppressed — notifications should respect your tuning decisions
Notification channels matter

Email notifications are for non-urgent awareness. Teams channel notifications are for team coordination. Direct Teams messages or phone calls (via integration with your on-call system) are for true emergencies. Map your notification channels to severity levels so the delivery mechanism itself signals urgency.

RBAC in the Defender Portal

Role-Based Access Control determines what each analyst can see and do. Proper RBAC is not just a security control — it prevents accidents. A Tier 1 analyst who can isolate a production server without approval is a risk to operational stability.

TYPICAL SOC RBAC TIERSTier 1 — TriageView incidents and alertsRun queries (read-only)Classify and assign incidentsTier 2 — InvestigationAll Tier 1 permissionsTake response actionsIsolate devices, revoke sessionsTier 3 / AdminAll Tier 2 permissionsModify detection rulesManage RBAC, configure productsPrinciple: least privilege. Every analyst gets the minimum permissions needed for their role.

Figure 3.5: RBAC tiers in a typical SOC. Permissions increase with responsibility and experience.

Key Defender XDR roles

RoleWhat it can do
Security ReaderView incidents, alerts, hunting results. No actions.
Security OperatorView + take response actions (isolate, remediate, approve).
Security AdministratorAll operator permissions + modify rules, manage configuration.
Do not give everyone Security Administrator

It is tempting to give every analyst full access to avoid permission issues. This eliminates the safety net that RBAC provides. A Tier 1 analyst with Security Administrator can accidentally delete a detection rule, modify a suppression that hides real attacks, or change a conditional access policy. Least privilege is not bureaucracy — it is protection against honest mistakes.

SC-200 Exam Relevance

The Defender XDR portal navigation is tested extensively in the SC-200 exam under “Manage a security operations environment” (20–25% of the exam). Expect questions about:

  • Incident triage and classification
  • Alert tuning and suppression rules
  • Advanced hunting — when to use it vs the incident queue
  • Response actions — which action for which scenario
  • RBAC — which role permits which actions
  • Attack disruption — when it activates and what it does

Module 3 — Key takeaways

  • The Defender XDR portal at security.microsoft.com is the single interface for all SOC operations
  • Incidents contain correlated alerts from multiple products — navigate top-down (incident → alert → evidence)
  • Triage is a 60-second decision, not a 30-minute investigation. Check title, alert count, entities, time.
  • VIP user involvement escalates any severity level to immediate investigation
  • Always classify incidents (TP, FP, informational) — this feedback improves detection quality
  • Suppression rules must be scoped narrowly to avoid creating blind spots
  • Advanced hunting is proactive — it finds things the incident queue never will
  • Response actions have blast radius — match containment severity to investigation confidence
  • Attack disruption fires only for high-confidence, high-severity scenarios at machine speed
  • RBAC follows least privilege — Tier 1 can view, Tier 2 can act, Tier 3/Admin can configure

Module 3 — Final knowledge check

1. You need to query across EmailEvents and SigninLogs simultaneously. Where do you do this?

Advanced Hunting — the unified KQL query surface across all product data tables
The incident timeline
Threat Explorer

2. A Security Reader cannot take response actions. A Security Operator can. What is the additional capability of a Security Administrator?

They can view more incident detail
They can take more aggressive response actions
They can modify detection rules, suppression rules, and product configuration — not just view and act

3. When does Attack Disruption activate?

For all high-severity incidents
For high-confidence, high-severity attacks where human response time is too slow — like active ransomware or mass credential theft
When an analyst requests it

4. You find a recurring false positive that fires 10 times per day. What is the correct tuning action?

Delete the detection rule
Suppress all alerts of that type
Create a narrowly scoped suppression rule matching the specific false positive conditions, and document why it was created

5. Which incident page tab should you check first when triaging a new incident?

Attack story — it shows the full event timeline and how alerts connect across products
Evidence — jump to the specific entities
Alerts — read each alert individually
← 3.6 Threat Analytics 3.4 Response Actions and Automation →