Sign In
In this module

AD6 — Basic Incident Response

5-6 hours · Module 6 · Free

Basic Incident Response

Module AD5 taught you to detect incidents through structured monitoring. This module teaches you what to do when you find one. Not the theory of incident response — the actual step-by-step procedures for the three incidents IT administrators face most often: a compromised user account (credentials stolen via phishing, password spray, or token theft), a phishing click (a user clicked a malicious link — what's the damage?), and business email compromise (an attacker is inside a mailbox reading emails and creating forwarding rules).

Each procedure is a numbered checklist: step 1, step 2, step 3. No ambiguity about what to do next. No "it depends" without telling you what it depends on. The procedures use the tools you already know from Modules AD1-AD5 — Entra ID for identity response, Exchange Online PowerShell for email investigation, the Defender portal for alert context, and the sign-in log for timeline reconstruction.

This module also covers the decisions that surround the technical response: when to escalate to a managed SOC versus handling it yourself, how to preserve evidence before you take containment actions, what to do when an incident happens at 02:00 on a Saturday, and how to document the incident for management and compliance purposes.

The result: when your Monday review or an alert notification identifies a confirmed incident, you have a procedure — not a panic.

What you will learn

  • The 5-step compromised account procedure (revoke, reset, review, remove, report)
  • Phishing click response workflow with scope assessment
  • BEC detection and response with inbox rule analysis
  • Evidence preservation before containment actions
  • Coordinating with a managed SOC during active incidents
  • The after-hours incident decision framework
  • Incident documentation for management and compliance
  • Microsoft's automatic attack disruption and when it helps
  • Post-incident review and improvement
  • Building incident response procedures into organizational documentation

Subsections

AD6.1 Why You Need Response Procedures · AD6.2 The Compromised Account Procedure · AD6.3 Phishing Click Response · AD6.4 Business Email Compromise Response · AD6.5 Evidence Preservation Basics · AD6.6 Coordinating with Your Managed SOC · AD6.7 The After-Hours Decision · AD6.8 Automatic Attack Disruption · AD6.9 Documenting the Incident · AD6.10 Post-Incident Review and Improvement · AD6.11 Interactive Lab · AD6.12 Module Summary · AD6.13 Check My Knowledge

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →