Core Training Track
Microsoft 365 Security Operations
Learn to investigate, detect, and respond to real attacks in Microsoft 365 environments. This course teaches you the practical skills that separate a capable SOC analyst from someone who just passed a certification exam.
<div class="glance-card">
<h3>Overview</h3>
<p>This is a hands-on training course for security professionals working in Microsoft 365 environments. You will learn to investigate real attack scenarios — from the moment an alert fires through containment, eradication, and the final incident report on your CISO's desk.</p>
<p>The course covers the full Microsoft security stack: Sentinel, Defender XDR, Defender for Endpoint, Defender for Office 365, Entra ID Protection, Defender for Cloud Apps, and Purview. You will write KQL queries, build detection rules, configure security policies, and work through complete investigation scenarios based on attacks that actually happen in production environments.</p>
<p>This is not a slide deck walkthrough or a video course where someone reads documentation at you. Every module is written content — searchable, bookmarkable, and designed to be referenced during a live investigation at two in the morning. The KQL queries work. The detection rules are deployable. The investigation playbooks follow the same structure used in real SOC operations.</p>
<p>The content aligns with the SC-200 Microsoft Security Operations Analyst certification objectives, but the goal is operational competence, not exam memorisation. If you can investigate an AiTM phishing campaign end-to-end, the certification exam is straightforward.</p>
</div>
<div class="glance-card">
<h3>Audience profile</h3>
<p><strong>This course is built for you if:</strong></p>
<p>You work in a SOC or security team that uses Microsoft 365 and you want to sharpen your investigation and detection engineering skills. Maybe you have been triaging alerts for six months and you are ready to go deeper — to understand the full attack chain, write your own KQL queries, and build detection rules instead of relying on out-of-the-box content.</p>
<p>Or you are an IT administrator who has been handed security responsibilities on top of your existing role. You know your way around the M365 admin centre, but the Defender portal and Sentinel feel like unfamiliar territory. You need structured guidance from someone who has been where you are.</p>
<p>Or you are an MSP technician managing security for multiple client tenants. You need repeatable investigation workflows and detection rules you can deploy across environments.</p>
<p><strong>Prerequisites:</strong> Basic familiarity with Microsoft 365 administration. You should know what Entra ID is, understand the basics of Exchange Online, and be comfortable navigating browser-based admin portals. No prior security experience or KQL knowledge required — the course teaches both from the ground up.</p>
</div>
<div class="glance-card full-width">
<h3>Course syllabus</h3>
<div class="syllabus-phases">
<div class="syllabus-phase">
<div class="syllabus-phase-header">
<span class="phase-badge free">Free — Start Now</span>
<h4>Phase 1: Foundations</h4>
<p>Four modules that give you the vocabulary, the primary investigation tool (KQL), and your first hands-on investigation skill. No account needed. No email gate. Read them right now.</p>
</div>
<div class="syllabus-modules">
<a href="/modules/free/01-m365-security-ecosystem/" class="syllabus-module">
<span class="sm-num">01</span>
<div><strong>The M365 Security Ecosystem</strong> — A technical map of every component in Microsoft's security stack. What each service does, what data it produces, and how they connect to each other. The reference you will return to throughout the course.</div>
</a>
<a href="/modules/free/02-kql-fundamentals/" class="syllabus-module">
<span class="sm-num">02</span>
<div><strong>KQL Fundamentals for Security Analysts</strong> — The query language that drives everything in Sentinel and Defender XDR. Operators, functions, joins, and 14 investigation patterns you will use in every module that follows.</div>
</a>
<a href="/modules/free/03-defender-xdr-navigation/" class="syllabus-module">
<span class="sm-num">03</span>
<div><strong>Defender XDR Portal Navigation</strong> — How the unified security portal is organised. Incident queues, alert management, advanced hunting, and the response actions available to you. Know where everything is before your first real alert.</div>
</a>
<a href="/modules/free/04-entra-signin-log-analysis/" class="syllabus-module">
<span class="sm-num">04</span>
<div><strong>Entra ID Sign-In Log Analysis</strong> — Your first investigation skill. Every compromise investigation starts here. You will learn to read sign-in logs, identify anomalies, and write KQL queries that surface compromised accounts.</div>
</a>
</div>
</div>
<div class="syllabus-phase">
<h4>Phase 2: Environment and Configuration</h4>
<p>Eight modules covering Sentinel workspace design, data connectors, Defender for Endpoint and Office 365 configuration, analytics rule creation, cloud workload protection, and exposure management. You will configure the security infrastructure that detection and investigation depend on.</p>
</div>
<div class="syllabus-phase">
<h4>Phase 3: Investigation and Response</h4>
<p>Ten investigation scenario modules — the heart of the course. Each one walks you through a complete real-world attack from initial alert through containment, eradication, and reporting. Scenarios include AiTM credential phishing, business email compromise, consent phishing, token replay, ransomware pre-encryption, insider threat, and cross-domain investigation.</p>
</div>
<div class="syllabus-phase">
<h4>Phase 4: Threat Hunting and Advanced</h4>
<p>Six modules on proactive threat hunting with KQL, threat intelligence integration, MITRE ATT&CK mapping, Sentinel automation with playbooks, security reporting with workbooks, and Security Copilot for SOC operations.</p>
</div>
</div>
</div>
</div>
Technologies covered
The Microsoft security stack, end to end
You will work across every major component of Microsoft's security ecosystem. Here is what you will get hands-on experience with.
<div class="tech-diagram">
<svg viewBox="0 0 900 420" fill="none" xmlns="http://www.w3.org/2000/svg" class="tech-svg">
<!-- Central hub -->
<rect x="340" y="160" width="220" height="100" rx="12" fill="#0F2B3C" stroke="#E86A2A" stroke-width="2"/>
<text x="450" y="200" fill="#fff" font-family="sans-serif" font-size="14" font-weight="700" text-anchor="middle">Defender XDR</text>
<text x="450" y="220" fill="#94a3b8" font-family="sans-serif" font-size="11" text-anchor="middle">Unified correlation and response</text>
<text x="450" y="240" fill="#E86A2A" font-family="sans-serif" font-size="10" text-anchor="middle">Modules 3, 9, 21</text>
<!-- Top row -->
<rect x="20" y="20" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="110" y="55" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Defender for Endpoint</text>
<text x="110" y="75" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">EDR, ASR, device timeline</text>
<text x="110" y="95" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 7, 17, 19</text>
<path d="M200 85 L340 180" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<rect x="240" y="20" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="330" y="55" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Defender for Office 365</text>
<text x="330" y="75" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">Email protection, Safe Links</text>
<text x="330" y="95" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 8, 13, 14</text>
<path d="M380 110 L420 160" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<rect x="480" y="20" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="570" y="55" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Defender for Identity</text>
<text x="570" y="75" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">On-prem AD threat detection</text>
<text x="570" y="95" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Module 19</text>
<path d="M530 110 L490 160" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<rect x="700" y="20" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="790" y="55" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Defender for Cloud Apps</text>
<text x="790" y="75" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">CASB, OAuth governance</text>
<text x="790" y="95" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 9, 15</text>
<path d="M700 85 L560 180" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<!-- Bottom row -->
<rect x="20" y="310" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="110" y="345" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Entra ID Protection</text>
<text x="110" y="365" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">Identity, conditional access</text>
<text x="110" y="385" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 4, 13, 16</text>
<path d="M200 335 L340 240" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<rect x="240" y="310" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#059669" stroke-width="2"/>
<text x="330" y="345" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Microsoft Sentinel</text>
<text x="330" y="365" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">SIEM, SOAR, analytics</text>
<text x="330" y="385" fill="#059669" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 5, 6, 10, 23–28</text>
<path d="M380 310 L420 260" stroke="#059669" stroke-width="1" stroke-dasharray="4"/>
<rect x="480" y="310" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="570" y="345" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Microsoft Purview</text>
<text x="570" y="365" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">Audit logs, DLP, eDiscovery</text>
<text x="570" y="385" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Modules 13, 14, 18</text>
<path d="M530 310 L490 260" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
<rect x="700" y="310" width="180" height="90" rx="10" fill="#0F2B3C" stroke="#1A4A5C" stroke-width="1"/>
<text x="790" y="345" fill="#fff" font-family="sans-serif" font-size="12" font-weight="600" text-anchor="middle">Microsoft Intune</text>
<text x="790" y="365" fill="#94a3b8" font-family="sans-serif" font-size="10" text-anchor="middle">Device compliance, config</text>
<text x="790" y="385" fill="#E86A2A" font-family="sans-serif" font-size="9" text-anchor="middle">Module 7</text>
<path d="M700 335 L560 240" stroke="#1A4A5C" stroke-width="1" stroke-dasharray="4"/>
</svg>
</div>
Study guide
How to get the most from this course
<div class="study-guide">
<div class="sg-block">
<div class="sg-icon">
<svg width="32" height="32" fill="none" stroke="#E86A2A" stroke-width="1.5" viewBox="0 0 24 24"><path d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z"/></svg>
</div>
<div class="sg-content">
<h3>Time commitment</h3>
<p>The full course represents roughly <strong>50–60 hours</strong> of study, spread across 28 modules. Most people complete it over 8–12 weeks alongside their day job. The free modules (Phase 1) take around 3–4 hours total and give you a solid foundation before you commit to a subscription.</p>
<p>Each module is designed to be completed in a single sitting of 45–90 minutes, but you can pick up where you left off — the content is broken into clearly labelled subsections with sidebar navigation.</p>
</div>
</div>
<div class="sg-block">
<div class="sg-icon">
<svg width="32" height="32" fill="none" stroke="#E86A2A" stroke-width="1.5" viewBox="0 0 24 24"><path d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z"/></svg>
</div>
<div class="sg-content">
<h3>Lab environment</h3>
<p>For the free modules, no lab is needed — the content is self-contained with annotated screenshots and code examples you can read and understand without a live environment.</p>
<p>For paid modules, we recommend setting up a <strong>Microsoft 365 Developer Tenant</strong> (free from developer.microsoft.com) with sample data packs loaded. This gives you a safe environment to run KQL queries, explore portals, and test detection rules without touching production. Setup instructions are included in Module 1.</p>
</div>
</div>
<div class="sg-block">
<div class="sg-icon">
<svg width="32" height="32" fill="none" stroke="#E86A2A" stroke-width="1.5" viewBox="0 0 24 24"><path d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"/></svg>
</div>
<div class="sg-content">
<h3>Recommended learning path</h3>
<p>Work through the phases in order. Phase 1 gives you the vocabulary and tools. Phase 2 builds your understanding of the environment. Phase 3 is where you develop real investigation skills through scenario walkthroughs. Phase 4 takes you into proactive hunting and automation.</p>
<p>If you are already working in a SOC and have KQL experience, you can skip to Phase 2 or 3 — but read Module 1 regardless. It is a reference document you will return to throughout the course, and most analysts discover gaps in their understanding of how the ecosystem components connect.</p>
</div>
</div>
<div class="sg-block">
<div class="sg-icon">
<svg width="32" height="32" fill="none" stroke="#E86A2A" stroke-width="1.5" viewBox="0 0 24 24"><path d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4"/></svg>
</div>
<div class="sg-content">
<h3>What you will take away</h3>
<p>Every module includes downloadable assets: KQL query packs, investigation flowcharts, reference cards, or report templates. These are not supplementary materials — they are production tools designed to be used in your day-to-day work.</p>
<p>The monthly scenario challenges give you the opportunity to test your skills independently before comparing your approach to the published solution.</p>
</div>
</div>
</div>
Expected outcomes
What you will be able to do after this course
These are not aspirational statements. They are specific, measurable skills you will demonstrate through the investigation scenarios, KQL exercises, and detection rules you build during the course.
<div class="outcomes-detailed">
<div class="outcome-detail">
<div class="od-num">1</div>
<div class="od-content">
<h3>Investigate a multi-stage attack across the entire Microsoft security stack</h3>
<p>Given an initial alert — a phishing email, a suspicious sign-in, or an anomalous file download — you will trace the complete attack chain across Defender for Office 365, Entra ID sign-in logs, Defender for Endpoint, and Sentinel. You will identify the initial access vector, determine the scope of compromise, and document your findings.</p>
</div>
</div>
<div class="outcome-detail">
<div class="od-num">2</div>
<div class="od-content">
<h3>Write KQL queries that detect real threats</h3>
<p>You will go from zero KQL knowledge to writing queries that surface failed sign-in spikes, impossible travel events, suspicious inbox rule creation, token replay activity, and mass file downloads. Every query in this course has been tested in a production Sentinel workspace.</p>
</div>
</div>
<div class="outcome-detail">
<div class="od-num">3</div>
<div class="od-content">
<h3>Build and deploy detection rules in Sentinel</h3>
<p>You will create scheduled analytics rules, near-real-time rules, and anomaly-based detections. You will understand testing methodology, threshold tuning, and how to avoid the false positive noise that makes detection rules useless in production.</p>
</div>
</div>
<div class="outcome-detail">
<div class="od-num">4</div>
<div class="od-content">
<h3>Contain active threats and coordinate response actions</h3>
<p>You will know when and how to isolate a device, revoke session tokens, disable a compromised account, remove malicious inbox rules, and trigger automation playbooks. You will understand the blast radius of each action and make informed containment decisions under pressure.</p>
</div>
</div>
<div class="outcome-detail">
<div class="od-num">5</div>
<div class="od-content">
<h3>Write incident reports that senior leadership can act on</h3>
<p>You will produce professional reports with attack timelines, impact assessments, containment summaries, and remediation recommendations. The templates provided follow the same structure used in real SOC operations and are designed for a CISO audience.</p>
</div>
</div>
</div>
Start with the free modules
Four complete modules. No account. No email gate. No credit card. Just open the page and start reading. If the content is what you need, the paid modules are there when you are ready.