Get Started Free
Operational Toolkit

Security Operations Center (SOC) Analyst Operations

The training teaches you the skill. This gives you the deployable infrastructure to use it. Detection rules, investigation playbooks, incident response templates, and hardening checklists — built for Microsoft 365 environments and ready to deploy in production today.

View Pricing See the Training Course
AiTM Phishing5 rules · playbook · reportBEC Investigation6 rules · playbook · reportConsent Phishing5 rules · playbook · reportToken Replay6 rules · playbook · reportRansomware7 rules · playbook · reportInsider Threat6 rules · playbook · report

Overview

SOC Analyst Operations is a library of deployable assets for security teams working in Microsoft 365 environments. It is not a training course — it is the operational output you would have if you had spent months building a mature SOC from scratch.

Each scenario pack contains five layers of deployable infrastructure: detection rules as importable ARM and JSON templates, step-by-step investigation playbooks with embedded KQL queries, containment procedures with exact commands and decision trees, pre-structured report templates for different audiences, and hardening checklists with verification steps for each control.

Every KQL query has been tested against real log data. Every ARM template can be imported directly into your Sentinel workspace. Every playbook follows the investigation methodology used in real SOC operations. This is not documentation you file and forget — it is infrastructure you deploy and use.

Audience profile

SOC analysts and security engineers who need to move fast. You understand the concepts and you have the skills, but building detection rules, playbooks, and templates from scratch takes time you do not have. You need a library of tested, production-ready assets you can deploy this week.

Security managers building team capabilities. You are standing up or maturing a SOC and you need frameworks your team can follow. Detection rules that are MITRE ATT&CK mapped, playbooks your junior analysts can execute under pressure, and report templates that save hours on every incident.

MSSP consultants serving multiple clients. You need repeatable operational packs you can customise and deploy across client environments. The standardised structure means consistent quality regardless of which analyst handles the incident.

SOC Analyst Operations pairs with the M365 Security Operations training course, but it stands alone. If you already know how to investigate incidents and you need the tools, this is what you are looking for.

What is included

6 Scenario Operating Packs

Each pack addresses a specific threat scenario end-to-end. Every pack follows the same five-layer structure: Detection, Investigation, Containment, Reporting, and Hardening.

AiTM Credential Phishing — Detection rules for proxy-based credential harvest, session token anomalies, inbox rule manipulation, and lateral phishing chains. Full investigation playbook from initial alert through containment and reporting.
Business Email Compromise — Vendor impersonation detection, payment diversion indicators, mailbox forwarding surveillance, and evidence packaging procedures for law enforcement referral.
Consent Phishing and OAuth Abuse — App registration monitoring, excessive permission detection, malicious application identification, and enterprise-wide remediation procedures.
Token Replay and Session Hijacking — Non-interactive sign-in anomalies, conditional access bypass detection, geographically improbable token usage, and forced token revocation procedures.
Ransomware Pre-Encryption — Early-stage lateral movement indicators, credential access detection, shadow copy deletion alerts, and automated containment triggers for rapid device isolation.
Insider Threat — Data exfiltration pattern detection, departing employee activity monitoring, DLP alert correlation, and evidence preservation workflows for HR and legal proceedings.

Cross-Scenario Assets

KQL Master Library — 35+ detection queries and 20+ investigation queries, each mapped to MITRE ATT&CK with documented thresholds, tuning guidance, and expected false positive rates.
Sentinel Deployment Pack — Importable ARM templates for analytics rules, automation rules, and workbooks. Deploy an entire detection capability in minutes.
IR Report Template Set — Pre-structured templates for executive summaries, technical deep-dives, and evidence appendices. Designed for different audience levels within the same incident.
M365 Security Baseline Checklist — Comprehensive hardening checklist covering identity, email, endpoint, data protection, and monitoring. Each control includes verification steps and implementation priority.

Deploy production-ready security operations

Available as a one-time purchase or included with the Professional training subscription. The library receives regular updates as new threat scenarios and detection techniques emerge.

View Pricing See the Training Course