Cloud Incident Response
Investigate, Contain, and Recover from M365 Incidents
Build the complete incident response capability for Microsoft 365 environments. From configuring the environment that preserves evidence to running the investigation that finds the attacker to executing the containment that stops them.
What you'll be able to do
Course overview
Cloud Incident Response teaches the complete incident response lifecycle for Microsoft 365 environments. Every module produces a capability you can execute during a real incident. You configure the environment that preserves evidence before you need it. You build the playbooks and runbooks that eliminate improvisation under pressure. You run investigations using KQL, Graph API, and PowerShell against the same log sources and evidence tables you'll query during a real compromise. You execute containment through Conditional Access, session revocation, and OAuth grant removal. You handle the regulatory notification, legal coordination, and post-incident improvement that complete the response.
The course follows the incident response lifecycle across six phases: foundations and preparation, detection and investigation, containment, threat-specific response, legal and compliance, and post-incident improvement. Guided walkthroughs in every module put you through end-to-end scenarios. Incident Lab scenarios let you practice investigation queries against synthetic data with known answers.
Who this course is for
Anyone who wants to learn cloud incident response. The course is built for security analysts, SOC engineers, IT administrators responsible for M365 security, and anyone who needs to investigate or respond to incidents in Microsoft 365 and Entra ID environments. No minimum experience required. Every concept is explained at first use, and experienced practitioners can skip ahead using the module structure.
What you'll learn
Key course takeaways
Things you need to know
What are the prerequisites?
None. The course teaches cloud incident response from first principles. Familiarity with Microsoft 365, Entra ID, and KQL will help you move faster, but none are required. Every tool, technique, and concept is explained at first use.
What tools does this course use?
KQL (Kusto Query Language) for investigation queries in Sentinel and Defender XDR. Microsoft Graph PowerShell for evidence collection and containment. The Microsoft Extractor Suite for bulk evidence export. All tools are free. The course walks through installation and configuration.
Do I need an M365 tenant?
An M365 E5 developer tenant is recommended for hands-on practice. The course provides setup guidance. Investigation queries can also be practiced against the Incident Lab's synthetic NE Corpus data without a tenant.
How will this course benefit your career?
Cloud incident response is one of the most in-demand skills in cybersecurity. Organizations running M365 need people who can investigate a compromise, contain the attacker, determine what was accessed, and produce a report that leadership and legal can act on. This course builds that capability end to end.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy investigation queries, PowerShell scripts, playbooks, and containment runbooks in your production environment. You may not redistribute course content or share account credentials.
Fictional environment: All scenarios use Northgate Engineering (NE). Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 2.0 | Last updated: June 2026
June 2026, v2.0: Complete course rebuild. Renamed to Cloud Incident Response. 13 modules across 6 phases. M365 and Entra ID focused. KQL investigation queries throughout. Incident Lab integration. Portal callouts for every configuration step.
v1.0: Original course launch.
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.