MCSB IR-1: Incident Response
12 Senserva Microsoft 365 security checks provide evidence for Microsoft Cloud Security Benchmark control IR-1 (Incident Response). Each is checked against your tenant, ranked by Severity, with validated remediation.
What MCSB IR-1 covers
The Microsoft Cloud Security Benchmark is Microsoft's own security baseline for Azure and Microsoft 365, organized into control domains. IR-1 sits in the Incident Response domain. Senserva evidences it with the 12 checks below, so you can see, per tenant, whether the control is actually met rather than assumed.
Ask your own AI about this control
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
The 12 checks that evidence MCSB IR-1
Click any row for why it matters and how to fix it, with a link to the full check page.
| Senserva check | Severity | What it verifies |
|---|---|---|
| Risk Detection Anomalous Token | Critical | Anomalous token usage detected Token properties or usage patterns do not match expected behavior. |
| Risk Detection Leaked Credentials | Critical | Leaked credentials detected. Credentials for this user were found exposed publicly |
| Risk Detection Malicious IP Address | Critical | Sign-in from a known malicious IP address. |
| Risk Detection Offline | Critical | Risk detection was discovered offline (retroactively). The compromise predates the detection |
| Risk Detection State Confirmed Compromised | Critical | Risk detection is confirmed compromised. Immediate action required |
| Risk Detection Token Issuer Anomaly | Critical | Token issuer anomaly detected The token was issued by an unexpected or suspicious authority. |
| Risk Detection Anonymized IP Address | High | Sign-in from an anonymized IP address (VPN, Tor, or proxy) |
| Risk Detection Stale | High | Unresolved risk detection has exceeded the configured stale threshold |
| Risk Detection State At Risk | High | Risk detection is in AtRisk state and has not been remediated |
| Risk Detection State Dismissed | High | Risk detection was dismissed without documented remediation |
| Risk Detection Suspicious IP Address | High | Sign-in from a suspicious IP address flagged by threat intelligence |
| Ir Update Incident Response Plan And Process | Medium | Update and maintain the incident response plan and process |
Also evidences
The same checks provide evidence for these frameworks, so one fix counts across your obligations:
Every MCSB control and the checks that evidence it: the control reference. The full benchmark crosswalk: MCSB for Microsoft 365.