Sign In
Operations Track

For Security Engineers, Detection Engineers, and Operations Managers Building SOC Infrastructure in M365 Environments

Aligned to NIST SP 800-61MITRE ATT&CKCIS ControlsMandiant tradecraft

Security Operations Center (SOC) Operations

Build and operate a SOC that detects, investigates, and improves — not just triages.

Build detection rules, investigation playbooks, incident response documentation, hardening baselines, automation workflows, and threat intelligence operations as a complete SOC program. Every module produces deployable assets — 28 production KQL detection rules, investigation playbooks for every major alert type, and the operational metrics that prove your SOC is improving.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: May 2026

Text-based · Persistent labs on your own hardware · 2 free modules available now · 36 CPE credits · Content last updated: May 2026

What you'll deploy
SOC operational playbooks for triage, escalation, and shift handover
Alert classification framework with severity definitions and SLAs
Incident management workflow from detection through post-incident review
SOC metrics dashboard design (MTTD, MTTR, alert-to-incident ratio)
Analyst onboarding program with competency milestones
Stakeholder communication templates for incident reporting
SOC OPERATIONS — 13 MODULES S1 SOC Foundations S2 Detection Engineering S3 Identity (7 rules) S4 Email (7 rules) S5 Endpoint (7 rules) S6 Cloud (7 rules) S7 Playbooks (3) S8 IR Reports (4) S9 Hardening (45) S10 Automation (5) S11 Metrics S12 Threat Intel 28 rules · 3 playbooks 167,000+ words of operational content Complete SOC capability: detect → investigate → contain → document → improve
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Build and deploy 28 production KQL detection rules
Create investigation playbooks for every major alert type
Produce incident response documentation and reports
Measure SOC performance with operational metrics
Build threat intelligence operations into SOC workflows

Build a SOC that operates — not just exists

Every module produces a deployable operational artifact: detection rules tested against real data, investigation playbooks with binary decision points, hardening baselines with validation queries, automation templates, and metrics dashboards. 28 detection rules, 3 playbooks, 4 IR templates, 45 hardening controls, and 5 automation templates across the course.

Who this course is for

SOC analysts building operational maturity. You triage alerts and investigate incidents. This course teaches you to build the detection rules, playbooks, and processes that make your SOC repeatable and measurable.

Security engineers standing up SOC capability. You need to build a SOC from detection engineering through automation. This course provides the complete framework.

SOC leads measuring and improving performance. Phase 4 covers metrics, reporting, automation, and threat intelligence — the operational maturity material.

Anyone with a genuine interest in SOC operations. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

28 detection rules across four domains

Identity and access (7 rules), email and collaboration (7 rules), endpoint and lateral movement (7 rules), cloud and SaaS (7 rules). Every rule includes entity mapping, MITRE ATT&CK technique, alert grouping, false positive guidance, and the compliance control it satisfies. Designed for production deployment to Sentinel.

What this produces

28 production KQL detection rules, investigation playbooks for every major alert type, automation workflows, and the operational metrics dashboard. A complete SOC program with deployable assets in every module — the capability jump between "I work in a SOC" and "I run SOC operations."

What you will be able to do

1. Operate a security operations center with documented triage procedures, escalation paths, and shift handoff processes.

2. Build and tune detection rules that generate actionable alerts — reducing false positives while maintaining detection coverage across MITRE ATT&CK techniques.

3. Investigate security alerts using structured methodology — from initial triage through evidence collection, analysis, containment, and documentation.

4. Deploy investigation playbooks for common incident types — step-by-step decision trees that enable consistent response.

5. Build SOC metrics and reporting that demonstrate operational effectiveness to leadership — MTTD, MTTR, alert volumes, and detection coverage tracking.

Course at a glance

Modules: 12 (S0–S11) across 4 phases

Estimated duration: 20–25 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Deliverables: 28 detection rules, 3 playbooks, 4 IR templates, 45 hardening controls, 5 automation templates

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 7 interactive (browse all →)

MITRE ATT&CK coverage: 57 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 environment: Access to a Microsoft 365 tenant with Defender XDR and Sentinel. An M365 Developer Tenant (free from developer.microsoft.com) is sufficient.

KQL proficiency: Working ability to write basic KQL queries. If KQL is new: the M365 Security Operations course includes KQL fundamentals.

How to get the most from this course

Recommended pace: 1–2 modules per week, 20–25 hours total over 6–8 weeks.

Deploy the detection rules to your tenant. The 28 rules are designed for production. Deploy them, tune the thresholds, and start generating operational data.

Build the playbooks before you need them. Investigation playbooks are most valuable when they exist before the incident.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Four phases. S0–S1 are free — no account required.

Free Phase 1 — Foundation

00
Course Introduction — What this course builds, who it is for, prerequisites, learning path, and the operational philosophy. Start here.
 01
SOC Foundations & Operational Readiness — Operating models, analyst tiers (T1/T2/T3), shift handover procedures, escalation matrices, SOC charter template, operational metrics framework, and maturity assessment scorecard.
 02
Detection Engineering Methodology — The complete detection lifecycle. Threat modeling, MITRE ATT&CK coverage mapping, rule specifications, quality metrics, false positive management, detection-as-code with Git workflows, and detection backlog management.

Phase 2 — Building Detections

03
Building Identity & Access Detections (7 rules) — Anomalous sign-in, MFA fatigue, impossible travel, privileged role assignment outside PIM, service principal credentials, conditional access modification, distributed password spray.
 04
Building Email & Collaboration Detections (7 rules) — Inbox forwarding to external domains, evasion rules, transport rule manipulation, bulk mailbox access, AiTM phishing indicators, mailbox delegation, BEC outbound email.
 05
Building Endpoint & Lateral Movement Detections (7 rules) — LOLBin execution chains, credential dumping, lateral movement via SMB/WinRM/RDP, persistence mechanisms, ransomware pre-encryption, data staging, PowerShell execution.
 06
Building Cloud & SaaS Detections (7 rules) — OAuth consent phishing, shadow IT, Azure resource manipulation, storage exfiltration, cross-tenant anomalies, application permission escalation, token replay.

Phase 3 — Investigation and Response

07
Building Investigation Playbooks — Three complete playbooks: AiTM credential phishing, BEC financial fraud (with recovery procedures), and ransomware pre-encryption. Playbook architecture, evidence collection, containment decision framework, custom playbook template.
 08
IR Documentation & Reporting — Four report templates: incident record, executive summary, post-incident review, evidence chain of custody. GDPR/NIS2 notification assessment, stakeholder communication templates, PIR methodology.

Phase 4 — Operational Maturity

09
Implementing Hardening Baselines — 45 controls across Entra ID (15), Exchange Online (12), Endpoint (10), Cloud Apps (8). Validation KQL queries, change management framework, hardening-detection dependency tracking.
 10
Building Sentinel Automation — Five Logic App templates: IP enrichment, SOC notification, on-call escalation, token revocation with approval gate, phishing auto-purge. SOAR integration patterns, automation health monitoring.
 11
Measuring & Improving SOC Performance — Sentinel workbook dashboards, monthly CISO report template, quarterly maturity review, continuous improvement methodology, industry benchmarking, board-level reporting.
 12
Building a Threat Intelligence Program — TI collection program, STIX/TAXII integration, indicator lifecycle management, TI-to-detection pipeline, threat hunting methodology, TI operations playbook, TI maturity assessment.

What you get that you will not find elsewhere

This is not alert triage training. Alert triage is one skill. This course teaches SOC operations as a discipline — shift management, detection backlog ownership, alert pipeline tuning, stakeholder communication, and the operational cadence that turns a reactive team into a proactive one.

The Tier 2/3 capability jump. Most SOC training targets Tier 1. This course teaches the operational skills that separate "I work in a SOC" from "I run SOC operations."

Practical management skills. Incident communication, escalation decisions, coverage reporting, and the metrics that demonstrate SOC value to leadership.

Where this course fits

Incident Triage teaches the analyst methodology. This course teaches the operational framework the SOC runs on.

Detection Engineering builds the rules. This course manages the detection backlog and alert pipeline those rules feed into.

Security Automation automates response. This course defines what to automate and how to measure the result.

Recommended learning path: SOC Ops → Triage → DE → SA. A learner can start at any course.

The outcome

You start triaging alerts. You finish running the operation.

Operational cadence — shift management, detection backlog, alert pipeline tuning.

Stakeholder communication — incident briefs, coverage reports, and the metrics leadership needs.

The Tier 2/3 skillset — incident management, escalation decisions, and cross-team coordination.

Prerequisites

Required: 1+ years in a SOC, IT security, or security operations role. Basic KQL proficiency and familiarity with the M365 security portal.

Recommended: Active SOC analyst experience. The course builds on real operational scenarios — prior alert triage and incident handling experience accelerates every module.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. All 12 modules active. 28 detection rules, 3 playbooks, 4 IR templates, 45 hardening controls.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.