Sign In
Flagship Course

Advanced Investigative Methodology for SOC Analysts, IR Practitioners, and Security Engineers

Practical Incident Response: Windows & Microsoft 365

The Mission: Follow the Adversary Across the Hybrid Stack

Modern breaches do not exist in isolation. They are fluid, crossing the boundary between local endpoints and cloud identity providers. This curriculum moves beyond theoretical silos to teach integrated investigation: tracing every artifact, every log entry, and every unauthorized command as it traverses your infrastructure.

Start Free — No Account Needed View Pricing
INCIDENT RESPONSE — INVESTIGATION TIMELINET+0:00Alert: AiTM phishing — credential harvested via proxy pageSource: Defender for Office 365 → EmailEvents table → KQLT+0:04Session token replayed — attacker authenticates as victimSource: Entra ID SigninLogs → Conditional Access evaluation → KQLT+0:12Inbox rule created — forwarding financial emails externallySource: Purview Audit → Exchange PowerShell → Mailbox audit logT+0:38Malicious attachment downloaded — payload executes on endpointSource: Prefetch + AmCache (EZTools) → DeviceProcessEvents (KQL)T+2:15Lateral movement — PsExec to domain controller via stolen credsSource: Event Log 7045 (EvtxECmd) → Volatility 3 → NTFS $MFT timeline19 modules12 tools4 scenarios40-50 hours

19 Modules of Production-Grade IR

This course reconstructs the full lifecycle of a sophisticated intrusion. We deconstruct the lateral movement of an attacker from the moment a phishing payload bypasses Exchange Online to the final exfiltration of data through SharePoint. You will learn to synchronize evidence from Entra ID credential theft with Windows endpoint forensic artifacts to build a defensible timeline of the breach.

Integrated Evidence Recovery. Discover how to find, interpret, and document evidence at every stage — from initial access to domain-wide persistence.

The Practitioner's Toolset. Master the deployment and execution of production-ready IR tools, focusing on high-utility solutions that can be implemented immediately.

Reality-Based Scenarios. Bridge the gap between "Cloud Security" and "Endpoint Defense" by analyzing how attackers leverage hybrid vulnerabilities to achieve their objectives.

Who this course is for

SOC analysts moving into incident response. You triage alerts and escalate incidents. This course teaches you to investigate them — to go from "suspicious sign-in detected" to "here is exactly what the attacker accessed, how they got in, and what we need to do about it."

IR practitioners expanding into M365. You know Windows forensics. You can parse Prefetch files and build NTFS timelines. But when the attack starts in Exchange Online and the credential theft happens in Entra ID, you need the cloud investigation skills to complete the picture.

Cloud security analysts learning endpoint forensics. You investigate in KQL and Purview. But when the attacker drops a payload on the endpoint and the cloud logs stop telling the story, you need the Windows artifact analysis to follow the trail.

Security engineers building IR capability. Your organization needs a formal IR process. This course provides the methodology, the tool deployment, the investigation procedures, and the reporting templates — from readiness through response through post-incident improvement.

The toolkit — free and open-source first

Every technique is taught with at least one free tool and one enterprise alternative. You are never locked into a vendor. You are never told "buy this $50,000 forensic suite to follow along."

Triage and collection: KAPE (Kroll Artifact Parser and Extractor) for targeted artifact collection. Velociraptor for remote live response and hunting across endpoints. Binalyze AIR as the enterprise alternative.

Endpoint analysis: Eric Zimmerman Tools (EZTools) — PECmd, AmcacheParser, EvtxECmd, MFTECmd, Registry Explorer, Timeline Explorer, ShellBags Explorer. The complete EZTools suite for parsing every Windows forensic artifact. Magnet AXIOM Cyber as the enterprise alternative.

Memory forensics: Volatility 3 for RAM analysis — process trees, network connections, injected code, rootkit detection. No commercial requirement.

Cloud investigation: KQL (Advanced Hunting) in Defender XDR and Microsoft Sentinel. Microsoft Purview Audit for M365 activity trails. Splunk as the enterprise SIEM alternative.

Native response: PowerShell for live response, evidence collection, containment actions, and automation. The tool every Windows environment already has.

Course syllabus

19 modules across five phases. The free modules (IR0-IR2) establish the foundations — IR methodology, toolkit deployment, and evidence acquisition. The paid modules build Windows forensic analysis skills (IR3-IR7), Microsoft 365 cloud investigation techniques (IR8-IR12), complete worked investigation scenarios (IR13-IR16), and professional IR reporting and readiness (IR17-IR18).

Phase 1 — Foundations (Modules IR0-IR2, FREE): The IR lifecycle, complete toolkit setup, evidence acquisition and chain of custody.

Phase 2 — Windows Endpoint Forensics (Modules IR3-IR7): Execution and persistence artifacts, filesystem and registry analysis, event log investigation, memory forensics, lateral movement and credential theft.

Phase 3 — M365 Cloud Investigation (Modules IR8-IR12): Identity compromise, Exchange Online forensics, SharePoint/OneDrive/Teams investigation, Entra ID and Azure AD analysis, Defender XDR as an IR platform.

Phase 4 — Investigation Scenarios (Modules IR13-IR16): Four complete worked investigations — ransomware, BEC, insider threat, and advanced persistent threat — each following the full attack chain from initial access to IR report.

Phase 5 — Reporting and Operations (Modules IR17-IR18): IR reporting from evidence to executive summary, and building organizational IR readiness.

Phase 1 — Foundations (Modules IR0-IR2) — FREE
IR0
Course Introduction — Who this course is for. The IR lifecycle (NIST SP 800-61 and SANS PICERL). How this course connects to M365 Security Operations, SOC Operations, and the GRC course. Lab environment setup. Coming Soon
IR1
The IR Toolkit — Setting Up Your Arsenal — KAPE installation and target/module configuration. EZTools deployment. Velociraptor server setup. Volatility 3 environment. PowerShell remoting for live response. Defender XDR Live Response. Binalyze AIR and Magnet AXIOM Cyber overview. Building the jump bag. Coming Soon
IR2
Evidence Acquisition and Chain of Custody — Forensic soundness principles. Triage collection with KAPE. Full disk imaging vs triage. Remote collection with Velociraptor. M365 evidence preservation (litigation hold, Purview audit export, content search). Chain of custody documentation. Evidence integrity and legal considerations. Coming Soon
IR3
Windows Artifact Analysis — Execution and Persistence — Evidence of execution: Prefetch, AmCache, ShimCache, BAM/DAM, UserAssist, Jump Lists. Persistence mechanisms: Run/RunOnce, scheduled tasks, services, WMI subscriptions, COM hijacks. Analysis with EZTools. KAPE automated parsing. Timeline creation with MFTECmd and Timeline Explorer. Coming Soon
IR4
Windows Artifact Analysis — Filesystem and Registry — NTFS artifacts: $MFT, $UsnJrnl, $LogFile, $I30, Zone.Identifier ADS. Registry forensics: SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat. Analysis with MFTECmd, Registry Explorer, RECmd, ShellBags Explorer. Deleted file recovery and timestomping detection. Coming Soon
IR5
Windows Event Log Analysis — Critical event IDs: 4624/4625 logon, 4688 process creation, 4720 account creation, 7045 service install, 1102 log cleared, Sysmon. PowerShell logging: ScriptBlock, Module, Transcription. RDP, Task Scheduler, WMI logs. EvtxECmd analysis. Log gap detection and anti-forensics. Coming Soon
IR6
Memory Forensics with Volatility 3 — Memory acquisition: WinPMem, hibernation file, crash dump. Volatility 3 analysis: PsList, PsTree, NetScan, DllList, Handles, CmdLine, Malfind. Process injection, hollowing, and rootkit detection. Worked investigation: identifying a Cobalt Strike beacon in memory. Coming Soon
IR7
Lateral Movement and Credential Theft Analysis — Pass-the-hash, pass-the-ticket, overpass-the-hash. RDP forensics (bitmap cache, event logs). PsExec and SMB artifacts. WMI lateral movement. LSASS access detection, DCSync, Kerberoasting, AS-REP roasting. Combined Windows artifact and KQL analysis. Coming Soon
IR8
M365 Identity Compromise Investigation — Entra ID sign-in log analysis: risky sign-ins, impossible travel, token replay, MFA bypass. Conditional access evaluation. Audit logs: app consent, role assignment, CA policy changes. AiTM and OAuth consent phishing investigation. Worked scenario: BEC from initial phish to financial fraud. Coming Soon
IR9
Exchange Online and Email Forensics — Mailbox audit logging: MailItemsAccessed, Send, MoveToDeletedItems. Purview audit for identifying exactly which emails were read. Inbox rule and mail forwarding forensics. Transport rule manipulation. eDiscovery content search. Worked scenario: invoice interception and payment redirection. Coming Soon
IR10
SharePoint, OneDrive, and Teams Investigation — File access and exfiltration detection. Anonymous sharing link abuse. Teams message exfiltration. OneDrive sync client endpoint forensics. Purview audit analysis. Sensitivity label and DLP event investigation. Worked scenario: insider exfiltrating IP via OneDrive sync before resignation. Coming Soon
IR11
Entra ID and Azure AD Investigation — Directory enumeration. Privileged role escalation. Service principal and app registration abuse. Conditional access modification tracking. Federation trust manipulation. Token theft and replay: PRT, refresh token, FOCI exploitation. Worked scenario: persistent access via service principal credential injection. Coming Soon
IR12
Defender XDR as an IR Platform — Incident queue triage. Advanced hunting for IR with cross-table queries. Live Response: file collection, script execution, memory capture. AIR analysis. Attack disruption. Custom detection rules for post-incident monitoring. Connecting Defender XDR to Sentinel for correlation and retention. Coming Soon
IR13
Ransomware Investigation — Pre-encryption detection. Encryption timeline reconstruction from MFT, USN journal, and event logs. Variant identification. Data exfiltration assessment (double extortion). Recovery evaluation. Full worked investigation: phishing → Cobalt Strike → domain admin → ransomware deployment. All tools. Coming Soon
IR14
Business Email Compromise Investigation — Full BEC lifecycle: credential theft → mailbox access → reconnaissance → financial fraud → cover-up. Inbox rule forensics. Invoice manipulation detection. Financial transaction tracing. Worked investigation: CEO fraud targeting the finance team. Coming Soon
IR15
Insider Threat Investigation — Data exfiltration patterns: USB, cloud sync, email, print. User behavior timeline construction. Endpoint + cloud evidence correlation. HR/Legal coordination. Evidence preservation for legal proceedings. Worked investigation: departing employee extracting customer data over 30 days. Coming Soon
IR16
Advanced Persistent Threat Investigation — LOLBin detection. Supply chain indicators. Multi-stage implant analysis. Persistence across reboots. C2 communication analysis. MITRE ATT&CK mapping throughout. Full worked investigation: nation-state style intrusion from initial access through data staging. Full toolkit. Coming Soon
IR17
IR Reporting — From Evidence to Executive Summary — Evidence-to-finding methodology. Technical IR report structure. Executive summary for leadership. Attacker activity timeline. Regulatory notification support (ICO, CSIRT, SEC). Lessons learned and post-incident review. Report sanitization for external sharing. Worked templates for every deliverable. Coming Soon
IR18
Building IR Readiness — IR plan development. Evidence collection playbook. Tabletop exercise design and execution. IR retainer evaluation. Detection engineering from IR findings. Purple team integration. Continuous improvement: MTTD, MTTR, containment time, and recurrence rate. Coming Soon

What makes this course different

Unified investigation, not isolated skills

Other courses teach Windows forensics or M365 investigation. This course teaches the investigation — from the phishing email in Exchange through the credential theft in Entra ID through the malware execution on the endpoint through the lateral movement across the domain through the data exfiltration in SharePoint. One attack. One investigation. Every evidence source.

Free tools at professional depth

KAPE, Eric Zimmerman Tools, Velociraptor, Volatility 3, KQL, PowerShell. These are the same tools used by SANS instructors, Big 4 IR consultancies, and government CERT teams. The difference between a free tool and a $50,000 forensic suite is the interface, not the capability. This course teaches the capability.

Investigation reasoning, not tool operation

Every finding includes three statements: what it proves, what it does not prove, and what investigation step it leads to next. "Prefetch shows calc.exe executed at 14:32 — this proves execution occurred but does not prove who executed it. Next step: correlate with Event ID 4624 to identify the active session at that time." This is how experienced responders think. This course teaches that thinking.

Text-based, reference-grade

At 2 AM during a real incident, you need to search "AmCache parser output columns" and find the answer in 10 seconds. You don't need to scrub through a 45-minute video to find the 30-second segment where the instructor mentioned it. Every module is searchable, scannable, and designed as a reference you return to under pressure — not a video you watch once and forget.

Production artifacts in every module

Every module produces something you deploy: an IR report template, an evidence custody form, a containment checklist, a detection rule, a KQL query, a PowerShell collection script. The course doesn't just teach you how to investigate — it gives you the documents you'll use when you do.

Built from real investigations

The investigation scenarios in Phase 4 are based on real incident response engagements — sanitized, restructured for teaching, but grounded in attacker behavior observed in production environments. The tool commands work. The artifacts are realistic. The decision points reflect actual investigation pressure.

How to approach this course

Recommended path

Complete Phase 1 (foundations) first — the toolkit setup and evidence acquisition methodology are prerequisites for everything that follows. Phase 2 (Windows) and Phase 3 (M365) can be studied in either order depending on your background, but completing both before Phase 4 is strongly recommended because the investigation scenarios draw from techniques across both environments.

Phase 4 is the capstone. Each scenario module reconstructs a complete attack using the skills from Phases 2 and 3. Phase 5 (reporting and readiness) can be studied alongside or after Phase 4.

How it connects to other courses

M365 Security Operations teaches you to operate the Defender stack — detect, triage, and respond. This course teaches you to investigate after detection — to reconstruct what happened, determine the full scope, and produce the evidence.

SOC Operations provides detection rules and playbooks. This course closes the loop — when a detection fires and the playbook runs, the IR course teaches the investigation that follows.

Mastering KQL builds the query language foundation. This course applies KQL to incident investigation — the queries you write when the alert is real and the clock is running.

Practical GRC modules G9 (breach notification), G13 (board reporting), and G14 (regulatory notification) connect directly to IR17 — the reporting module that turns investigation findings into the governance deliverables.

Coming soon

The Practical Incident Response course is currently in development. The first modules are targeted for release in 2026. Subscribe to be notified when content becomes available.

Get Notified at Launch Browse Available Courses