Cloud Incident Response

Investigate, Contain, and Recover from M365 Incidents

Build the complete incident response capability for Microsoft 365 environments. From configuring the environment that preserves evidence to running the investigation that finds the attacker to executing the containment that stops them.

View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Lead full-scope incident response investigations using a proven forensic methodology
Collect and analyse digital evidence from Windows systems, Microsoft 365, Entra ID, and hybrid environments
Reconstruct accurate attacker timelines and root cause analysis
Perform effective containment, eradication, and recovery while preserving evidence integrity
Document investigations clearly for internal stakeholders, legal, or compliance requirements
Translate investigation findings into actionable improvements in detection and prevention
FOR401 | Premium tier | 13 modules across 6 phases | 36–40 hours at your own pace | 40 CPE credits | 5 free preview lessons - no account needed | Updated June 2026
Course Agenda View all 14 modules

Phase 3 — Threat-Specific Response

IR7
Threat-Specific Response Playbooks

Phase 4 — Legal, Compliance, and Communication

IR8
Legal, Compliance, Communications, and Stakeholder Management

Reference

References

Course Completion

Course Exam

Course overview

Cloud Incident Response teaches the complete incident response lifecycle for Microsoft 365 environments. Every module produces a capability you can execute during a real incident. You configure the environment that preserves evidence before you need it. You build the playbooks and runbooks that eliminate improvisation under pressure. You run investigations using KQL, Graph API, and PowerShell against the same log sources and evidence tables you'll query during a real compromise. You execute containment through Conditional Access, session revocation, and OAuth grant removal. You handle the regulatory notification, legal coordination, and post-incident improvement that complete the response.

The course follows the incident response lifecycle across six phases: foundations and preparation, detection and investigation, containment, threat-specific response, legal and compliance, and post-incident improvement. Guided walkthroughs in every module put you through end-to-end scenarios. Incident Lab scenarios let you practice investigation queries against synthetic data with known answers.

Who this course is for

Anyone who wants to learn cloud incident response. The course is built for security analysts, SOC engineers, IT administrators responsible for M365 security, and anyone who needs to investigate or respond to incidents in Microsoft 365 and Entra ID environments. No minimum experience required. Every concept is explained at first use, and experienced practitioners can skip ahead using the module structure.

SOC analysts who triage alerts and need to investigate beyond the alert summary
Security engineers responsible for M365 security who need IR capability
IT administrators who are the first responder when something goes wrong
IR practitioners expanding from on-premises into cloud investigation

What you'll learn

Configure M365 for IR readiness: diagnostic settings, log retention, break-glass accounts, and emergency Conditional Access policies
Triage alerts from Identity Protection, Defender XDR, and Sentinel and determine whether they require investigation
Investigate identity compromise, BEC, OAuth abuse, and insider threat using KQL against all four sign-in log tables and the Unified Audit Log
Scope incidents: determine how many accounts are compromised, what the attacker accessed, and what data was exfiltrated
Execute five-channel containment: sessions, credentials, OAuth grants, email rules, and file access
Handle regulatory notification under GDPR, SEC 8-K, HIPAA, and NIS2 with evidence-based scope determination

Key course takeaways

A complete, repeatable IR methodology for M365 that you can execute under pressure
Production-ready KQL investigation queries for every phase of the response lifecycle
Playbooks and runbooks for BEC, identity compromise, ransomware, insider threat, and OAuth abuse
The ability to configure an environment for IR readiness and verify the configuration works
Confidence to lead incident response in M365 environments and produce defensible investigation reports

Things you need to know

What are the prerequisites?

None. The course teaches cloud incident response from first principles. Familiarity with Microsoft 365, Entra ID, and KQL will help you move faster, but none are required. Every tool, technique, and concept is explained at first use.

What tools does this course use?

KQL (Kusto Query Language) for investigation queries in Sentinel and Defender XDR. Microsoft Graph PowerShell for evidence collection and containment. The Microsoft Extractor Suite for bulk evidence export. All tools are free. The course walks through installation and configuration.

Do I need an M365 tenant?

An M365 E5 developer tenant is recommended for hands-on practice. The course provides setup guidance. Investigation queries can also be practiced against the Incident Lab's synthetic NE Corpus data without a tenant.

How will this course benefit your career?

Cloud incident response is one of the most in-demand skills in cybersecurity. Organizations running M365 need people who can investigate a compromise, contain the attacker, determine what was accessed, and produce a report that leadership and legal can act on. This course builds that capability end to end.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy investigation queries, PowerShell scripts, playbooks, and containment runbooks in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering (NE). Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: June 2026

June 2026, v2.0: Complete course rebuild. Renamed to Cloud Incident Response. 13 modules across 6 phases. M365 and Entra ID focused. KQL investigation queries throughout. Incident Lab integration. Portal callouts for every configuration step.

v1.0: Original course launch.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.