Incident Triage: From Alert to Verdict
The first minutes of incident response define the outcome. Learn how to triage incidents in Defender XDR, investigate Office 365 threats, understand automatic attack disruption, and manage the incident lifecycle with case management.
What happens when an incident lands?
Imagine you are an emergency room doctor. Ambulances keep arriving. You cannot treat every patient identically β a broken finger and a heart attack need very different responses. The first job is triage: assess severity, assign priority, route to the right team.
SOC incident triage works the same way. When Defender XDR creates an incident, someone needs to quickly determine: Is this real? How bad is it? Who handles it?
This module walks through the full incident lifecycle β from the moment an alert fires to the final verdict. You will learn how Defender for Office 365 handles email threats, how automatic attack disruption stops attacks in real-time, and how case management keeps everything organised.
The incident lifecycle
Every incident follows this flow:
| Stage | What Happens | Who Does It |
|---|---|---|
| 1. Detection | Analytics rule, custom detection, or product alert fires | Automated |
| 2. Triage | Assess severity, check if real, assign to analyst | Tier 1 analyst |
| 3. Investigation | Examine evidence, trace the attack chain, identify scope | Tier 1-2 analyst |
| 4. Containment | Stop the attack from spreading (isolate, block, disable) | Analyst or automated |
| 5. Remediation | Remove the threat (quarantine files, reset passwords, clean devices) | Analyst or automated |
| 6. Classification | Mark as True Positive, False Positive, or Benign True Positive | Analyst |
| 7. Closure | Document findings, close the incident, update detections | Analyst |
Defender for Office 365: email threats
Email is the number one attack vector. Defender for Office 365 (MDO) detects phishing, malware, business email compromise (BEC), and spam.
Common email threats
| Threat | What It Is | MDO Detection |
|---|---|---|
| Phishing | Fake email tricking users into revealing credentials | URL detonation, impersonation detection, sender intelligence |
| Malware | Email with malicious attachment | Safe Attachments sandboxing, file detonation |
| BEC | Attacker impersonating CEO/CFO to request wire transfers | Display name impersonation, mailbox intelligence |
| Spam | Unwanted bulk email | Content filtering, sender reputation |
Investigation workflow for email threats
- Review the alert β what triggered it? (Phishing URL, malicious attachment, impersonation)
- Check the email β sender, recipients, subject, URLs, attachments
- Trace delivery β was the email delivered, quarantined, or blocked?
- Check user actions β did anyone click the URL? Did anyone open the attachment?
- Remediate β soft delete from mailboxes, block sender, purge the email across the org
- Hunt β search for related emails from the same campaign
Scenario: James triages a phishing campaign
James at Pacific Meridian receives a High-severity incident: βMulti-stage phishing detected β 47 users targeted.β
Triage (2 minutes):
- Incident shows 47 emails from
hr-updates@pacificmeridian-careers.com(impersonating the real HR domain) - 12 users clicked the link; 3 submitted credentials on the fake login page
- Attack disruption automatically disabled the 3 compromised accounts
Investigation (15 minutes):
- Email headers show the sender IP is from a known phishing infrastructure
- The URL redirects to a credential harvesting site (verified via URL detonation)
- The 3 compromised accounts show sign-in activity from the attackerβs IP
Remediation:
- Soft delete all 47 emails across all mailboxes
- Reset passwords for the 3 compromised accounts
- Revoke all active sessions
- Block the sender domain and URL as indicators
Classification: True Positive β Phishing
Post-incident: James creates an analytics rule to detect future emails from similar impersonation domains.
Case management
Case management in Defender XDR provides the workflow structure for managing incidents from detection to closure.
Key case management features
| Feature | What It Does |
|---|---|
| Assign owner | Route incident to a specific analyst |
| Set status | Active, In Progress, Resolved |
| Classification | True Positive, False Positive, Benign True Positive (informational) |
| Determination | Subcategory: Phishing, Malware, Compromised Account, etc. |
| Tags | Custom labels for tracking (e.g., βVIPβ, βComplianceβ, βCampaign-2026-04β) |
| Comments | Analyst notes documenting investigation steps and findings |
| Linked incidents | Connect related incidents across time |
Exam tip: classification vs determination
The exam tests whether you know the difference:
- Classification = Is the incident real? (True Positive, False Positive, Benign True Positive)
- Determination = What type of threat? (Phishing, Malware, Unwanted Software, Line-of-Business Application, etc.)
Both are set when closing an incident. Getting them wrong skews your SOC metrics.
Benign True Positive means the detection was technically correct (something suspicious happened), but it was expected or authorised (e.g., a penetration test triggering alerts).
Automatic attack disruption in action
You learned about attack disruption in Module 7. Here is how it appears during triage:
When you open an incident that was disrupted, you see:
- Yellow banner β βAttack disruption actions have been takenβ
- Contained entities β which devices were isolated, which users were suspended
- Timeline β when the disruption fired relative to the original alert
As a responder, your job is to verify the disruption was appropriate and continue the investigation. Disruption buys time; it does not complete the investigation.
James finds that Defender XDR disabled 3 user accounts during a BEC incident. One of the accounts belongs to the CFO, who cannot access email during a board meeting. What should James do?
A penetration testing team triggers alerts in Defender XDR during an authorised test. How should the SOC classify these incidents?
Next up: Email threats are handled. Now letβs investigate threats from Microsoft Purview and Defender for Cloud β data breaches and cloud workload attacks.