1. Home
  2. Training Library
  3. Microsoft 365
  4. Microsoft 365 Courses
  5. Managing Microsoft 365 Security Reports and Alerts

Threat Response Strategy

Start course

This course will explore best practices and fundamentals using Microsoft 365’s Secure Score as a primary barometer to measure protection and readiness as well as timely and effective responses to threat incidents. After completing lessons and watching video demos, students should be equipped with the knowledge and skills to protect themselves and their organizations. 

Learning Objectives

  • Evaluate and manage Microsoft Office 365 tenant security using Secure Score
  • Manage incident investigation
  • Review and manage Microsoft 365 security alerts

Intended Audience

  • General cybersecurity enthusiasts who want to stay current with best practices 
  • People studying for the Microsoft MS-101 exam
  • Cyber security professionals/administrators responsible for the safety of an organization


  • Basic understanding of Office/Microsoft 365
  • Basic understanding of computer networking
  • General knowledge of different threat types

In this video, we'll be discussing our overall incident investigation strategy. Cybersecurity threat response is not that different from firefighters putting out fires. The first step is detection, being alerted to the threat. Second is to diagnose the type of threat because that will determine our response and remediation strategy. And lastly, we debrief with threat prevention, which often includes some kind of education on best practices to avoid the incident in the future.

Let's start with threat detection. By establishing policies, we will be alerted to suspicious activity within our organization. Don't worry about setting the policy parameters perfectly in the beginning. It's more important to have some form of notification in place. You can always strengthen or soften the strictness of the alert to recalibrate the best balance for your organization down the road. The important part here is that you have policies to alert you on all the suspicious activity you want to know about. And once we are alerted, we move onto diagnosis as not all threats are the same. For example, some alerts could be from suspicious behavior within the organization internally, like a user who is downloading an excessive number of files, for example.

Another threat could be an external attack, like a phishing attempt via email from a spoofed address designed to look very familiar. Different types of threats will warrant different responses, so it's important to diagnose them accurately. A good place to start is identifying the affected resources, such as devices, identities, files, and so on. Also consider the scope of the impact, such as how many users and/or resources would be affected, and for how long.

Now, if you have a live threat, such as ransomware making its way through your organization locking up files, it's more important to move into remediation to contain or remove the threat immediately. This is an extreme example, but actually quite common. Other threats can be automatically detected and quarantined by Microsoft security policies, such as spam email for example. In either case, we'll want to confirm that the threat has been completely isolated or removed from our environment, then proceed to restore any data that was lost.

Lastly, when it comes to threat prevention, the best defense is the user's own competence in recognizing suspicious links and possible threats. Education is key and regular security awareness training can go a long way. Secure score can come in handy as well to calibrate how strict or lenient certain automated policies ought to be. In general, cybersecurity threat response isn't something that you can simply set and forget. It's a continuous give-and-take between lockdown security and convenience. The goal is to strike a reasonable balance between the two according to your organization's needs. Hope you found this helpful. Thanks for watching. See you in the next video.


About the Author

Aaron has been in the IT industry for 10 years servicing a variety of industries, from small retail businesses to multi-billion dollar hedge funds. Specializing in workflow optimization, he has helped users at all levels increase their productivity and efficiency ranging from tasks like taking medical offices to paperless, to administering patch management, JIRA, Confluence, and other project management platforms. 

Prior to starting his IT career, Aaron was a test prep teacher, helping high school students improve their standardized test scores for college admissions. He joins Cloud Academy to combine his two passions, technology and teaching.