9.1 Proactively detect and address threats - Use a security analytics and threat intelligence platform to enable attack detection, threat visibility, proactive hunting, and threat response. This is often composed of extended detection and response (XDR) tools for well-known attacks, a security information and event management (SIEM) for building custom detections based on log files, and a Security Data Lake for long-term efficient storage of archival log files. A well-designed system for application, system, and security log files and other data sources is key to enable effective threat detection, investigation and forensic analysis, threat hunting, threat intelligence, and similar activities. 

• Microsoft Learn: What is Microsoft Defender XDR?
• Microsoft Learn: What is Microsoft Sentinel?   

9.2 Establish a standard incident response process – Preparing an Incident Response Plan is crucial for helping to address new threats that can emerge over time. It should be created in coordination with your organization’s dedicated Product Security Incident Response Team (PSIRT). The plan should include who to contact in case of a security emergency, and establish the protocol for security servicing, including plans for code inherited from other groups within the organization and for third-party code. The incident response plan should be tested before it is needed!

• Microsoft Learn: Manage and respond to security alerts
• Microsoft Download: Security Incident Management in Microsoft Office 365
• Microsoft Azure: Microsoft Incident Response and shared responsibility for cloud computing
• Microsoft Security Response Center
  

See Practice 10: Provide security training >