Microsoft Defender XDR · Security Operations

Incident Responder

Takes response actions to contain and remediate threats. Can isolate devices, manage quarantine, and perform live response.

Scope: Incident response and remediation across Defender workloads

Permissions

  • Security data basics (read) - View incidents, alerts, investigations, devices
  • Alerts (manage) - Manage alerts, start investigations, manage device tags
  • Response (manage) - Take response actions, approve/dismiss remediation, manage block lists
  • Basic live response (manage) - Initiate sessions, download files, read-only device actions
  • Advanced live response (manage) - Full live response with file uploads and script execution
  • File collection (manage) - Collect files for analysis
  • Email & collaboration quarantine (manage) - View and release quarantined email
  • Email & collaboration advanced actions (manage) - Move/delete email to junk, deleted items

Common use cases

  • Incident responders handling active threats
  • Tier 2/3 SOC analysts with remediation responsibilities
  • Emergency response teams

Best practices

  • Use for analysts who need to take immediate action
  • Document all response actions taken
  • Coordinate with Security Administrator for major incidents
  • Test remediation scripts before deployment

Security considerations

  • Can isolate devices from network
  • Can run scripts on devices via live response
  • Can delete emails including hard delete
  • Actions can impact business operations

Official Microsoft Learn documentation →

Open the interactive RBACMap →