Domain 3 of 4

Manage Incident Response

Domain · 25–30% of the SC-200 exam

Every incident runs the same loop; the only real skill is choosing the surface you run it on

A real attack is one story told across many products: a phished user, a stolen token, a device dropping malware, a hidden mailbox rule, data leaving the tenant. Whatever raised the first alert, the response is always the same three-beat loop. Triage it (read the summary, set classification and severity, assign an owner), investigate it (walk the timeline, pivot across the entities), then respond (contain and remediate the affected users, devices, mailboxes, and apps). What changes is never the loop, only the surface you work it on and the remediation verb that surface offers: a device is isolated, an identity has its sessions revoked, a malicious email is soft-deleted, a risky app is disabled. The single most common SC-200 trap in this domain is being handed an incident and reaching for the wrong surface, so before you pick an action, pin down which of the five surfaces below owns this part of the response.

The domain unfolds across five response surfaces, each owning a different part of the story

Read the five subtopics in order and the map draws itself. The Microsoft Defender portal (security.microsoft.com) is the correlation hub: it stitches alerts from Defender for Office 365, Endpoint, Identity, Cloud Apps, Microsoft Entra ID Protection, Microsoft Defender for Cloud, and Microsoft Purview into one cross-product incident, and it is where automatic attack disruption contains in-progress ransomware, business email compromise (BEC), and adversary-in-the-middle attacks before an analyst even arrives. Defender for Endpoint is the device-deep surface: you walk the 30-day device timeline, then either contain (isolate the device, run live response) or collect forensics (the investigation package). Investigating Microsoft 365 activities is the evidence layer: the unified audit log, Content Search, and Microsoft Graph activity logs answer what happened, where the content is, and who called the API. Microsoft Sentinel is the SIEM-and-SOAR surface for incidents that span your whole estate, where automation rules route and tag while playbooks do the cross-system work. Security Copilot is the AI assistant that accelerates all four, summarizing incidents and drafting hunting queries within your own permissions.

When two answers both work, prefer the surface that already correlated the story

Microsoft's response tooling is layered so that the higher surface does the correlation for you, and the exam rewards working the case the platform already assembled rather than chasing raw signals. Inside the Defender portal or Sentinel you work the incident, the container of related alerts with its shared entity graph, never the scattered alerts one at a time. When automatic attack disruption has already acted, your job shifts from racing the attacker to verifying the automatic containment was correct and finishing the cleanup, knowing every automatic action can be undone if it was a false positive. And one permission rule cuts across the whole domain: Security Copilot runs on-behalf-of (OBO) the signed-in analyst, so it never exceeds the access you already hold. A Copilot role grants no security data by itself; you still need the matching service role, such as Microsoft Sentinel Reader, to see that product's data through Copilot.

The five response surfaces: what each owns and the response it offers

Response surfaceWhat it owns in the storySignature response actionDrill into
Microsoft Defender portalCorrelates alerts from every connected Defender product into one cross-product incident; runs automatic attack disruptionTriage, classify, and remediate per entity; verify or undo a disruption actionRespond to Incidents in the Microsoft Defender Portal
Defender for EndpointThe device's own story: timeline, process tree, and analyzed entitiesIsolate the device, run live response, or collect the investigation packageRespond to Microsoft Defender for Endpoint Alerts
Microsoft 365 activity evidenceThe proof layer: what happened, where the content is, who called the APISearch the unified audit log, run a Content Search, query Microsoft Graph activity logsInvestigate Microsoft 365 Activities
Microsoft SentinelEstate-wide incidents grouped from analytics-rule alerts; SIEM plus SOARWork the incident, route with an automation rule, run a playbook (incl. on-premises)Respond to Incidents in Microsoft Sentinel
Microsoft Security CopilotThe AI assistant over all four surfaces, grounded in your own data and permissionsSummarize an incident, generate a hunting query, run a promptbook (OBO the analyst)Implement and Use Microsoft Security Copilot

Subtopics in this domain