Foundations of Cloud Incident Response

1.1 What this module covers

This module establishes the foundations that every subsequent module depends on. Five sections cover the shared responsibility model and identity as the attack surface, the current M365 threat landscape, IR frameworks adapted for cloud environments, regulatory context and business impact, and a guided walkthrough that maps a real incident to specific obligations.

1.2 What you will learn

Foundations and context

Section 1.1: The shared responsibility model and identity as the perimeter. What Microsoft secures versus what your organization secures. Why M365 incidents start with identity, not malware. What this means for evidence sources, containment actions, and investigation methodology.

Section 1.2: The M365 threat landscape. Current threat data from the Microsoft Digital Defense Report. Attack volume, technique prevalence, industry targeting. AiTM phishing, BEC, token theft, OAuth abuse, and ransomware in cloud environments.

Section 1.3: IR frameworks applied to M365. NIST SP 800-61 Rev 3 and SANS IR frameworks mapped to M365 reality. What each phase means when the perimeter is an identity provider, the evidence is audit logs, and the attacker holds OAuth tokens.

Regulatory and practical application

Section 1.4: Regulatory context and business impact. GDPR Article 33, SEC cybersecurity disclosure rules, HIPAA, NIS2. How regulatory obligations shape IR decisions from minute one.

Section 1.5: Guided walkthrough. A BEC incident triggers regulatory notification. You map the incident facts to specific obligations, identify deadlines, and draft the notification timeline.

1.3 Module structure

• Section 1.1: The shared responsibility model and identity as the perimeter
• Section 1.2: The M365 threat landscape
• Section 1.3: IR frameworks applied to M365
• Section 1.4: Regulatory context and business impact
• Section 1.5: Guided walkthrough

Go to Section 1.1 to begin.