Microsoft 365 Security Operations

Investigation-first methodology

Every module follows the same pattern: understand the attack technique, investigate it with KQL in Defender XDR and Sentinel, contain and remediate, then deploy detection rules that catch it next time. You leave each module with production artifacts — not just knowledge.

The investigation scenarios are drawn from real incidents: AiTM credential phishing campaigns, BEC payment diversions, consent phishing, token replay, and insider threat. The detection rules, playbooks, and hardening checklists are designed for immediate deployment to your tenant.

Who this course is for

SOC analysts in M365 environments. You triage alerts in Defender XDR and investigate incidents in Sentinel. This course deepens your investigation methodology and gives you deployable detection rules for every major M365 attack type.

Security engineers configuring M365 protection. You manage Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Sentinel. This course teaches you to configure these products for maximum detection coverage with minimal false positives.

IT professionals transitioning to security. You manage an M365 tenant and have been given security responsibility. This course provides the structured methodology to investigate incidents and deploy protection — and maps directly to SC-200 certification.

Anyone with a genuine interest in M365 security operations. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

Course at a glance

Modules: 17 across 4 phases

Estimated duration: 32–40 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Free content: Modules 0–1 — no account required

Paid content: Modules 2–16 — Premium or Team subscription

Certification: Every module maps to SC-200 exam objectives (January 2026 update)

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 8 interactive (browse all →)

MITRE ATT&CK coverage: 52 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

How to get the most from this course

Recommended pace: 1–2 modules per week, 32–40 hours total over 8–12 weeks alongside a full-time role.

Work through phases in order. If you already have KQL and SOC experience, jump to Phase 2 or 3 — but read Module 1 regardless. Experienced analysts can go straight to Phase 4 investigation scenarios.

Deploy every artifact. Run the KQL queries against your own tenant. Deploy the detection rules. The course produces real security value when you deploy, not just when you read.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Where this course fits

Entra ID Security engineers the identity layer. This course operates the security stack that monitors it.

Detection Engineering builds custom rules. This course teaches the operational context — alert queues, incident management, and cross-workload correlation — that those rules feed into.

Practical IR investigates incidents. This course teaches the M365-specific tools and data sources that IR uses.

Recommended learning path: M365 SecOps → Entra ID → DE → IR. A learner can start at any course.

The outcome

You start navigating the portal. You finish operating the platform.

Cross-workload investigation — trace attacks across email, identity, endpoint, and cloud apps.

Unified incident management — triage, investigate, and respond from a single queue.

Advanced Hunting fluency — KQL queries across all Microsoft security data tables.

Prerequisites

Required: 1+ years in IT administration, helpdesk, or a junior security role. Access to a Microsoft 365 tenant (production or developer). Familiarity with the M365 admin center.

Recommended: Basic KQL experience (where, project, summarize). The free modules (Phase 1) cover platform orientation and KQL fundamentals.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.