Sign In Get Started Free
Operations Track

For SOC analysts, detection engineers, and security operations managers in M365 environments

Security Operations Center (SOC) Operations

Build a production SOC capability from detection to documentation.

13 modules that take you from detection engineering methodology through 28 production KQL rules, investigation playbooks, incident response reporting, hardening baselines, automation, and threat intelligence operations. Every module produces deployable assets — not theory you shelve.

Get Started View Pricing
SOC OPERATIONS — 13 MODULESS1SOC FoundationsS2Detection EngineeringS3Identity (7 rules)S4Email (7 rules)S5Endpoint (7 rules)S6Cloud (7 rules)S7Playbooks (3)S8IR Reports (4)S9Hardening (45)S10Automation (5)S11MetricsS12Threat Intel28 rules·3 playbooks167,000+ words of operational contentComplete SOC capability: detect → investigate → contain → document → improve

Overview

SOC Operations is a complete learning course that builds a production SOC capability module by module. You start with the organisational framework — operating models, analyst tiers, escalation paths, and the SOC charter. Then you build detection rules across four M365 domains, investigation playbooks for the most common attack scenarios, incident response documentation templates, hardening baselines, automation workflows, operational metrics, and a threat intelligence programme.

Every module produces deployable assets: KQL detection rules you can paste into Sentinel, playbooks your team can follow during live incidents, report templates your CISO can read, and hardening checklists you can work through this week.

Audience profile

SOC analysts and detection engineers working in Microsoft 365 environments who want structured methodology, production KQL queries, and tested operational workflows they can deploy immediately.

Security operations managers building or maturing a SOC team — the course provides the complete organisational framework alongside the technical assets.

IT professionals transitioning into SOC roles who have completed M365 Security Operations and want to build the operational infrastructure for their SOC.

This course assumes working knowledge of Microsoft Sentinel, KQL, and M365 security concepts. If you need that foundation first, start with M365 Security Operations.

Course syllabus

13 modules across four phases. Every module produces operational assets you deploy to your environment.

Phase 1 — Foundation (Modules 0–2): SOC operating models, analyst tiers, detection engineering methodology, MITRE ATT&CK coverage mapping, and the SOC charter.

Phase 2 — Detection Libraries (28 rules): Production KQL detection rules across identity, email, endpoint, and cloud domains. Each rule includes full specification, annotated KQL, false positive analysis, and response actions.

Phase 3 — Investigation & Response (Modules 7–8): Three complete investigation playbooks (AiTM, BEC, ransomware) with binary decision trees, plus four IR report templates for every audience from the SOC team to the board.

Phase 4 — Operational Maturity (Modules 9–12): 45 hardening controls with validation queries, five automation playbook templates, SOC metrics dashboards, and a threat intelligence operations programme.

Total: 167,000+ words of operational content. 28 detection rules. 3 playbooks. 4 IR templates. 45 hardening controls. 5 automation templates.

Course modules

13 modules across four phases. Every module produces operational assets you deploy to your environment.

00
Course Introduction — What this course builds, who it is for, prerequisites, learning path, and the operational philosophy. Start here.
01
SOC Foundations & Operational Readiness — Operating models, analyst tiers (T1/T2/T3), shift handover procedures, escalation matrices, SOC charter template, operational metrics framework, and maturity assessment scorecard.
02
Detection Engineering Methodology — The complete detection lifecycle. Threat modelling, MITRE ATT&CK coverage mapping, rule specifications, quality metrics, false positive management, detection-as-code with Git workflows, and detection backlog management.
03
Building Identity & Access Detections (7 rules) — Anomalous sign-in, MFA fatigue, impossible travel, privileged role assignment outside PIM, service principal credentials, conditional access modification, distributed password spray.
04
Building Email & Collaboration Detections (7 rules) — Inbox forwarding to external domains, evasion rules, transport rule manipulation, bulk mailbox access, AiTM phishing indicators, mailbox delegation, BEC outbound email.
05
Building Endpoint & Lateral Movement Detections (7 rules) — LOLBin execution chains, credential dumping, lateral movement via SMB/WinRM/RDP, persistence mechanisms, ransomware pre-encryption, data staging, PowerShell execution.
06
Building Cloud & SaaS Detections (7 rules) — OAuth consent phishing, shadow IT, Azure resource manipulation, storage exfiltration, cross-tenant anomalies, application permission escalation, token replay.
07
Building Investigation Playbooks — Three complete playbooks: AiTM credential phishing, BEC financial fraud (with recovery procedures), and ransomware pre-encryption. Playbook architecture, evidence collection, containment decision framework, custom playbook template.
08
IR Documentation & Reporting — Four report templates: incident record, executive summary, post-incident review, evidence chain of custody. GDPR/NIS2 notification assessment, stakeholder communication templates, PIR methodology.
09
Implementing Hardening Baselines — 45 controls across Entra ID (15), Exchange Online (12), Endpoint (10), Cloud Apps (8). Validation KQL queries, change management framework, hardening-detection dependency tracking.
10
Building Sentinel Automation — Five Logic App templates: IP enrichment, SOC notification, on-call escalation, token revocation with approval gate, phishing auto-purge. SOAR integration patterns, automation health monitoring.
11
Measuring & Improving SOC Performance — Sentinel workbook dashboards, monthly CISO report template, quarterly maturity review, continuous improvement methodology, industry benchmarking, board-level reporting.
12
Building a Threat Intelligence Programme — TI collection programme, STIX/TAXII integration, indicator lifecycle management, TI-to-detection pipeline, threat hunting methodology, TI operations playbook, TI maturity assessment.

How to approach this course

Recommended path

Work through the phases in order. Phase 1 (SOC Foundations + Detection Engineering) provides the organisational and methodological framework that everything else builds on. Phase 2 (Detection Rules) gives you production KQL. Phase 3 (Playbooks + Reports) operationalises the detections. Phase 4 (Hardening, Automation, Metrics, TI) matures the capability.

If you already run a SOC and want specific assets, jump directly to the modules you need — each module is self-contained with all the context required.

How it connects to M365 Security Operations

SOC Operations builds on the investigation skills taught in M365 Security Operations. The M365 course teaches you how to investigate incidents. This course gives you the operational infrastructure to run a SOC — detection rules, playbooks, documentation, hardening, automation, and metrics.

Take M365 Security Operations to build the skills. Take SOC Operations to build the infrastructure. Take both to build a complete SOC capability.

See for yourself

Available with a paid subscription. Start with M365 Security Operations if you need the investigation foundation first, or dive straight into SOC Operations if you already have the skills and need the infrastructure.

View Pricing See M365 Security Ops