L17. Incident Response in Azure
Course outlineLesson 17 of 18
The AZ-500 tests your ability to triage, investigate, and respond to security incidents using KQL queries, Logic App playbooks, and Sentinel automation rules. This lesson covers the response lifecycle from alert to remediation.
Incident Response Lifecycle in Azure
- Detection: Analytics rule fires, Alert created, Incident created (if grouping is on)
- Triage: Analyst reviews incident, assigns severity, sets status (New to Active)
- Investigation: KQL queries in the workspace, entity timeline, threat intelligence correlation
- Containment: Isolate VM, block user, revoke tokens: manual or automated
- Remediation: Root cause fix: patch, reconfiguration, policy update
- Documentation: Close incident, record findings, update detection rules
KQL Basics for the Exam
The exam expects you to read and understand KQL, not write complex queries from scratch. Key operators:
// Find failed sign-ins from a specific IP
SigninLogs
| where ResultType != 0
| where IPAddress == "1.2.3.4"
| summarize count() by UserPrincipalName, bin(TimeGenerated, 1h)
| order by count_ descKey KQL operators to recognise: where, project, summarize, join, extend, render, order by, bin().
Logic App Playbooks
Playbooks are Logic Apps triggered by Sentinel alerts or incidents. Common patterns:
- On high-severity alert: post to Teams channel plus page on-call
- On user account alert: disable Entra ID account, force sign-out of all sessions
- On malicious IP alert: add IP to Named Location block list in Conditional Access
Automation Rules
Automation rules run before playbooks and can:
- Auto-assign incidents to an analyst
- Auto-tag incidents with labels
- Auto-close known-false-positive patterns
- Trigger a playbook
- ✓Incident lifecycle: Detection, Triage, Investigation, Containment, Remediation, Documentation
- ✓KQL operators to recognise: where, project, summarize, join, extend, render, order by, bin()
- ✓Playbooks = Logic Apps. An automation rule in Sentinel connects the trigger condition to the playbook
- ✓Automation rules run in priority order, can auto-assign/tag/close incidents before triggering playbooks
- ✓Common playbook patterns: disable Entra account on identity alert, add IP to CA Named Location block list
1. In KQL, what does the 'where' operator do?
2. A Logic App playbook is triggered by a Microsoft Sentinel incident. What is the recommended way to authorize the playbook to take actions on Azure resources?
3. What is the purpose of SOAR (Security Orchestration, Automation, and Response) in Sentinel?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.