Manage Incident Response
Every incident runs the same loop; the only real skill is choosing the surface you run it on
A real attack is one story told across many products: a phished user, a stolen token, a device dropping malware, a hidden mailbox rule, data leaving the tenant. Whatever raised the first alert, the response is always the same three-beat loop. Triage it (read the summary, set classification and severity, assign an owner), investigate it (walk the timeline, pivot across the entities), then respond (contain and remediate the affected users, devices, mailboxes, and apps). What changes is never the loop, only the surface you work it on and the remediation verb that surface offers: a device is isolated, an identity has its sessions revoked, a malicious email is soft-deleted, a risky app is disabled. The single most common SC-200 trap in this domain is being handed an incident and reaching for the wrong surface, so before you pick an action, pin down which of the five surfaces below owns this part of the response.
The domain unfolds across five response surfaces, each owning a different part of the story
Read the five subtopics in order and the map draws itself. The Microsoft Defender portal (security.microsoft.com) is the correlation hub: it stitches alerts from Defender for Office 365, Endpoint, Identity, Cloud Apps, Microsoft Entra ID Protection, Microsoft Defender for Cloud, and Microsoft Purview into one cross-product incident, and it is where automatic attack disruption contains in-progress ransomware, business email compromise (BEC), and adversary-in-the-middle attacks before an analyst even arrives. Defender for Endpoint is the device-deep surface: you walk the 30-day device timeline, then either contain (isolate the device, run live response) or collect forensics (the investigation package). Investigating Microsoft 365 activities is the evidence layer: the unified audit log, Content Search, and Microsoft Graph activity logs answer what happened, where the content is, and who called the API. Microsoft Sentinel is the SIEM-and-SOAR surface for incidents that span your whole estate, where automation rules route and tag while playbooks do the cross-system work. Security Copilot is the AI assistant that accelerates all four, summarizing incidents and drafting hunting queries within your own permissions.
When two answers both work, prefer the surface that already correlated the story
Microsoft's response tooling is layered so that the higher surface does the correlation for you, and the exam rewards working the case the platform already assembled rather than chasing raw signals. Inside the Defender portal or Sentinel you work the incident, the container of related alerts with its shared entity graph, never the scattered alerts one at a time. When automatic attack disruption has already acted, your job shifts from racing the attacker to verifying the automatic containment was correct and finishing the cleanup, knowing every automatic action can be undone if it was a false positive. And one permission rule cuts across the whole domain: Security Copilot runs on-behalf-of (OBO) the signed-in analyst, so it never exceeds the access you already hold. A Copilot role grants no security data by itself; you still need the matching service role, such as Microsoft Sentinel Reader, to see that product's data through Copilot.
The five response surfaces: what each owns and the response it offers
| Response surface | What it owns in the story | Signature response action | Drill into |
|---|---|---|---|
| Microsoft Defender portal | Correlates alerts from every connected Defender product into one cross-product incident; runs automatic attack disruption | Triage, classify, and remediate per entity; verify or undo a disruption action | Respond to Incidents in the Microsoft Defender Portal |
| Defender for Endpoint | The device's own story: timeline, process tree, and analyzed entities | Isolate the device, run live response, or collect the investigation package | Respond to Microsoft Defender for Endpoint Alerts |
| Microsoft 365 activity evidence | The proof layer: what happened, where the content is, who called the API | Search the unified audit log, run a Content Search, query Microsoft Graph activity logs | Investigate Microsoft 365 Activities |
| Microsoft Sentinel | Estate-wide incidents grouped from analytics-rule alerts; SIEM plus SOAR | Work the incident, route with an automation rule, run a playbook (incl. on-premises) | Respond to Incidents in Microsoft Sentinel |
| Microsoft Security Copilot | The AI assistant over all four surfaces, grounded in your own data and permissions | Summarize an incident, generate a hunting query, run a promptbook (OBO the analyst) | Implement and Use Microsoft Security Copilot |