Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 03: Trigger benign signals, review Attack story, verify auto actions and evidence

Security Architecture Team

The Architect should open any incidents and confirm the Attack story view aligns with approved guardrails, with no custom playbooks used.

Security Engineering and Administration

  1. Go back to your Defender XDR portal tab.

  2. You could verify device isolation status on a pilot device by:

    1. Opening the device by selecting Assets > Devices, then viewing all action history in the Action Center.

    2. Observing the Conditional Access policy logs in entra.microsoft.com:

      1. Going to Conditional Access > Monitoring > Sign-in logs
      2. Filtering by Conditional Access = Success.

SOC Analyst

The SOC Analyst should make sure notes are added to any incidents. For example:

- *"Auto-contained device(s): [names] at [time]"*
- *"User session revoked/blocked by CA at [time]"*
- *"No manual playbooks executed; native XDR + CA only"*