Get Started Free
Core Training Track

Microsoft 365 Security Operations

When a phishing email gets past your filters at 2am, theory will not help you. This course teaches you to investigate, contain, and report on real attack scenarios — the same way a practising SOC analyst does it every day. Built around the Microsoft security stack you already work in.

Start Free — No Account Needed View Pricing
Microsoft Sentinel — Active IncidentsAiTM phishing — session token harvestedHighSuspicious inbox forwarding rule createdMediumToken replay from unrecognised IP rangeMediumBulk file download — departing employeeLow12Active incidents47Closed this week4.2hAvg resolution3Pending triage

Overview

Microsoft 365 Security Operations is an investigation-led training course for security professionals who protect organisations running on the Microsoft stack. Over 28 modules, you will work through the same scenarios, tools, and decision-making processes that define day-to-day life in a security operations centre.

This is not a passive learning experience. Every module puts you in the analyst's chair. You will trace AiTM phishing campaigns across multiple log sources, write KQL queries that catch threats your current rules miss, build detection logic in Microsoft Sentinel, and produce incident reports that leadership can act on. The investigation scenarios are based on attack patterns encountered in production environments — sanitised and structured for learning, but rooted in real operational experience.

The curriculum is aligned with Microsoft's SC-200 Security Operations Analyst certification objectives, which means completing this course prepares you for the exam as a natural side effect. But the real outcome is operational competence: the ability to walk into a SOC on Monday morning and handle whatever lands in your incident queue.

All content is written — not video. You can search it, bookmark it, and pull up a query during a live investigation. When Microsoft changes something, we update the text in minutes instead of reshooting a video.

Audience profile

SOC analysts looking to go deeper. You have been triaging alerts for a few months and you are ready for more. You want to understand the full attack chain, write your own detection rules, and lead investigations instead of just escalating them.

IT administrators moving into security. Your employer has asked you to take on security responsibilities alongside your existing admin role. You know your way around the M365 admin centre, but the Defender portal feels unfamiliar and Sentinel is completely new territory.

MSP technicians managing client security. You look after multiple M365 tenants and need repeatable investigation workflows and detection rules you can deploy across environments.

Career changers and upskilling professionals. You are building a case for your next role. Completing this course gives you demonstrable skills that hiring managers recognise — along with the SC-200 certification if you choose to sit the exam.

Prerequisites: Basic familiarity with Microsoft 365 administration. No prior security experience or KQL knowledge required — both are taught from scratch.

Course syllabus

The course is structured in four phases. You start with the foundations (free, no account required), then build your environment knowledge, work through real investigation scenarios, and finish with proactive threat hunting and automation.

Free — Start Now

Phase 1: Foundations

Four modules that give you the technical vocabulary, your primary investigation language (KQL), and your first hands-on investigation skill. Completely free, completely ungated.

01
The M365 Security Ecosystem — A technical map of every component in Microsoft's security stack. What each service does, what data it produces, and how they connect. The reference you will return to throughout the course.
02
KQL Fundamentals for Security Analysts — The query language that underpins everything in Sentinel and Defender XDR. Operators, functions, joins, time operations, and 14 investigation patterns.
03
Defender XDR Portal Navigation — How the unified security portal is organised. Incident queues, alert management, advanced hunting, and response actions.
04
Entra ID Sign-In Log Analysis — Your first real investigation skill. Two-table model, 30+ field reference, 10 critical error codes, and six investigation patterns.

Phase 2: Environment and Configuration

Eight modules covering Sentinel workspace design, data connectors, Defender for Endpoint and Office 365 policies, analytics rule creation, cloud workload protection, and exposure management.

Phase 3: Investigation and Response

Ten investigation scenario modules — the heart of the course. AiTM credential phishing, business email compromise, consent phishing, token replay, ransomware pre-encryption, insider threat, and cross-domain investigation. Each one is a complete end-to-end scenario.

Phase 4: Threat Hunting and Advanced

Six modules on proactive hunting with KQL, threat intelligence integration, MITRE ATT&CK mapping, Sentinel automation, security reporting, and Security Copilot.

What you will walk away with

Measurable skills, not vague promises

1

Investigate a multi-stage attack across the entire Microsoft stack

Trace complete attack chains across Defender for Office 365, Entra ID, Defender for Endpoint, and Sentinel. Identify initial access, determine scope, and document findings.

2

Write KQL queries that detect threats your current rules miss

Go from zero KQL experience to writing queries that surface failed sign-in spikes, impossible travel, token replay, and bulk file operations. Every query tested against real data.

3

Build detection rules that work in production

Create Sentinel analytics rules with proper threshold tuning and entity correlation. Detection rules that fire on real threats and stay quiet the rest of the time.

4

Contain active threats with confidence

Know when and how to isolate a device, revoke tokens, disable accounts, and trigger automation playbooks. Understand consequences and make decisions under pressure.

5

Produce incident reports that get read

Write reports with clear timelines, impact assessments, and actionable recommendations. Templates follow the same structure used in real SOC operations.

6

Sit the SC-200 certification with confidence

The curriculum covers every SC-200 domain (January 2026 update). If you can investigate an AiTM campaign end-to-end, the exam is the easy part.

Study guide

How to approach this course

Time commitment

Plan for roughly 50 to 60 hours across all 28 modules. Most people complete it over 8 to 12 weeks. The free modules take 3 to 4 hours — enough to decide if the depth and style are what you need. Each module is 45 to 90 minutes with sidebar navigation so you can pick up where you left off.

Lab environment

No lab needed for free modules. For paid modules, we recommend a Microsoft 365 Developer Tenant (free from developer.microsoft.com) with sample data packs. 25 user licences, E5 environment, safe to experiment. Setup instructions in Module 1.

Recommended path

Work through phases in order. If you already have KQL and SOC experience, jump to Phase 2 or 3 — but read Module 1 regardless. It is a reference map most analysts find gaps in their understanding of.

Downloadable assets

Every module includes KQL query packs, investigation flowcharts, reference cards, or report templates. Designed for day-to-day work, not just course completion. Monthly scenario challenges provide additional practice.

See for yourself

Four complete modules are free. No account, no email, no credit card. Open the page, read the content, and decide whether the depth and approach are what you need.

Start Module 1 — Free View Pricing