Course Introduction

What this course is

This is a practical Microsoft 365 security operations course — investigation methodology, detection engineering, and hardening across the full Microsoft Defender XDR and Sentinel stack. Seventeen modules take you from portal orientation through complete investigations of the five attack types that dominate M365 environments in 2026.

The course follows one principle: every module produces something you deploy. Not study notes. Not exam prep flashcards. Deployable detection rules, investigation playbooks, and hardening checklists that go directly into your own M365 tenant. Twenty-nine analytics rules, five investigation playbooks, and five operational checklists across the course — designed for production use.

This is not a video course. That is a feature. Security operators do not watch videos during a deployment window or an active incident. They read technical documentation, parse logs, and execute scripts. This platform is built in the same format you work in — text, code, and decision trees. Every KQL query is copy-pasteable and executable in your own tenant. Every configuration step includes a verification command that confirms it worked. The format matches the operational reality of the job, and it updates in minutes when Microsoft changes a portal layout or renames a feature.

The SC-200 exam objectives are fully covered — every module maps to the January 2026 update. But the certification is the side effect of operational competence, not the goal. You'll pass the exam because you've done the work, not because you've memorized the answers.

What this course teaches

Seventeen modules across four phases. Modules 0 and 1 are free — no account required.

Phase 1 — Foundations (M0, M1). You are here now. M0 contains the lab setup instructions you need for every hands-on exercise in the course and the operational philosophy that defines how the platform teaches. M1 walks the Defender XDR unified portal — the incident queue, cross-product correlation, response actions across endpoint, email, identity, and cloud apps. By the end of Phase 1, you have a working M365 tenant with sample data and know how to navigate the investigation tools.

Phase 2 — Microsoft Security Stack (M2–M5). Four modules covering every Defender workload in depth. Defender for Endpoint — onboarding, ASR rules, EDR, advanced hunting on endpoint tables, live response (M2). Microsoft Purview — sensitivity labels, DLP policies, insider risk management, audit log investigation, eDiscovery for security (M3). Defender for Cloud — workload protection, CSPM, multi-cloud connectivity, regulatory compliance (M4). Security Copilot — AI-assisted investigation, incident summarization, KQL generation, embedded Copilot across all workloads (M5). Each module goes beyond portal orientation to engineering-depth configuration with production deployment guidance.

Phase 3 — Sentinel Operations (M6–M11). Six modules building your SIEM capability. KQL from fundamentals through advanced hunting — filtering, aggregation, joins, time-series analysis, and the operators you use in every investigation (M6). Sentinel workspace architecture — log retention tiers, cost management, multi-workspace design (M7). Data connectors and ingestion strategy — connecting M365, Entra ID, Defender XDR, and third-party sources with cost optimization (M8). Defender for Office 365 — anti-phishing policies, Safe Links, Safe Attachments, email authentication, Threat Explorer (M9). Detection engineering — analytics rules, entity mapping, alert grouping, MITRE ATT&CK classification, automation, and a 10-rule starter library (M10). Threat hunting — eight KQL patterns, hypothesis methodology, MITRE-driven rotation, and the program framework that makes hunting sustainable (M11).

Phase 4 — Investigation Scenarios (M12–M16). Five complete worked investigations, each exercising every skill from Phases 2 and 3 in the context of a specific attack type. AiTM credential phishing — a five-wave campaign with eight detection rules, investigation playbook, IR report template, and hardening checklist (M12, the flagship module). BEC and financial fraud — vendor payment diversion, financial recovery, law enforcement coordination (M13). Token replay and session hijacking — post-authentication persistence, token lifecycle tracing, CAE deployment (M14). Consent phishing and OAuth grant abuse — tenant-wide consent audit, admin consent workflow (M15). Insider threat — departing employee data exfiltration, covert investigation, HR/legal coordination, evidence preservation to employment law standards (M16).

You can study the course linearly (M0 → M16) or in a modified order once Phase 1 is complete. If you already have KQL and SOC experience, jump to Phase 2 or Phase 3 — but read M1 (Defender XDR) regardless. Experienced analysts can go straight to Phase 4 investigation scenarios if they have the prerequisite investigation skills from Phases 2 and 3.

Who this course is for

Anyone who operates, investigates, or engineers security in a Microsoft 365 environment. The course is built for self-directed learners, and how much of it applies depends on where you sit now and where you want to go.

SOC analyst in an M365 environment. You triage alerts in Defender XDR and investigate incidents in Sentinel. You want to deepen your investigation methodology beyond the alert queue — tracing attacks across email, identity, endpoint, and cloud app telemetry — and leave each module with deployable detection rules that catch the attacks you've just investigated.

Security engineer configuring M365 protection. You manage Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Sentinel. You want to configure these products for maximum detection coverage with minimal false positives, and you want a structured approach to deployment that doesn't break production. The course teaches you to configure, validate, and tune — not just enable.

IT administrator transitioning to security. You manage an M365 tenant and have been given security responsibility. You know the portals, you understand authentication and conditional access, but you've never investigated a credential phishing campaign or written a KQL detection rule. This course provides the structured methodology to investigate incidents and deploy protection — and maps directly to SC-200 certification if your organization requires it.

Incident responder adding M365 cloud investigation. You investigate incidents on Windows endpoints but your cloud investigation skills are limited to reading sign-in logs. Phase 3 (Sentinel Operations) and Phase 4 (Investigation Scenarios) give you the M365-specific investigation methodology — how to trace AiTM phishing, track token replay, investigate consent phishing, and construct cross-environment timelines.

Anyone with a genuine interest in M365 security operations. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

Prerequisites

Two required, one recommended. Read each and self-assess honestly.

IT administration experience (1+ years). You should be comfortable navigating the M365 admin center, managing user accounts, and understanding basic authentication concepts (passwords, MFA, conditional access). You do not need deep security experience — the course teaches the security discipline. You do need to know where things live in the Microsoft portal ecosystem.

Access to an M365 tenant. You need a tenant to run the KQL queries and deploy the detection rules. Options: your production tenant (the configurations are designed for production deployment), or an M365 Developer Tenant (free, 25 E5 licenses — sign up at developer.microsoft.com/microsoft-365/dev-program). The developer tenant is recommended for learners who want to experiment freely. M0.4 walks the setup step by step.

Recommended: basic KQL experience. You should be able to write a basic KQL query — a where filter, a project to select columns, a summarize to aggregate. If KQL is entirely new, the course covers it in M6 (KQL Fundamentals), but working through Microsoft Learn's free "Write your first query with KQL" primer before Phase 3 will accelerate your progress.

Nothing else is required. You do not need a background in programming, incident response, or red teaming. Specific depth in those areas makes some modules easier (particularly the Phase 4 investigations), but none is prerequisite.

Lab setup

Everything runs in the M365 portal. No local VMs, no third-party tools, no commercial software licenses.

M365 Developer Tenant (free). From developer.microsoft.com — 25 user licenses, full E5 environment, renewable. Provides Entra ID, Exchange Online, SharePoint, Teams, Defender XDR, and Purview audit. This is the BYOT (Bring Your Own Tenant) model: everything you build in the course deploys directly into your tenant, and you keep it after the course. Setup instructions are in M0.4.

Azure subscription (free tier). Linked to your developer tenant. Deploy a Sentinel workspace with the free data connectors (Entra ID sign-ins, Office 365 audit, Defender XDR). The free tier includes 5 GB per day of Log Analytics ingestion — enough for learning. Setup instructions are in M0.5.

Sample data. Load the Microsoft sample data packs into your developer tenant to populate sign-in logs, mailbox activity, and device events for practice queries. M0.6 walks the validation to confirm your data is ready.

No lab needed for Phase 1. You can complete M0 and M1 without any tenant configured — the content is readable without a lab. But you'll want the tenant active before M2.

What you can skip: you don't need to configure anything before starting M0.1. The lab setup is M0.4 through M0.6 — the first three subs (M0.1–M0.3) cover course structure, SC-200 mapping, and learning methodology before you touch the portal.

How the course is structured

Every module from M2 onward follows the same pattern. You will encounter these elements in every content subsection.

Objective header. The problem the subsection solves, the deliverable, and the time estimate.

Diagram. Every subsection has an SVG diagram — the architecture, the attack flow, the decision tree, or the relationship between components.

Worked examples. Annotated KQL queries with line-by-line explanation, portal walkthroughs with verification commands, and complete investigation sequences with real telemetry data.

Decision Point. Operational scenarios with a choice and the correct call — the judgment calls real analysts make under time pressure.

Try-it. Exercises you do in your own tenant. Four components: Setup, Task, Expected Result, and Debugging Branch.

Compliance Myth. Common misconceptions stated as myths with the production reality. M365 security is full of vendor marketing claims and documentation that doesn't match production behavior — the myths call these out.

Artifact footer. An operational artifact you extract and deploy — a KQL detection rule, an investigation playbook step, a hardening checklist item, a configuration template.

Module completion pattern. Each module has content subsections (eight to sixteen depending on the module), a module summary, and a Check My Knowledge subsection with scenario-based questions. Phase 4 investigation modules are the longest — M12 (AiTM) has sixteen subsections covering a complete five-wave campaign investigation.

Time per phase

The course is self-paced. There are no cohorts, no fixed deadlines, no streaks.

Phase 1 (M0, M1): One to two evenings. M0 is lab setup and orientation (45 minutes). M1 is the Defender XDR unified portal (2–3 hours).

Phase 2 (M2–M5): Two to three weeks at five to eight hours per week. Four modules covering the full Defender stack. M4 (Defender for Cloud) is the densest module in this phase.

Phase 3 (M6–M11): Three to four weeks at the same pace. Six modules covering Sentinel operations. M6 (KQL) and M10 (Detection Engineering) are the most intensive.

Phase 4 (M12–M16): Three to four weeks. Five complete investigation scenarios. M12 (AiTM) is the flagship — plan a full weekend or several evenings for the complete investigation, report, and detection rule deployment.

Full course at five to eight hours per week: ten to eighteen weeks. Recommended pace: one to two modules per week alongside a full-time role. Deploy every artifact — the course produces real security value when you deploy, not just when you read.

Start here

Go to M0.1 — Mission, Course Structure, and Who This Is For next. It establishes the operational philosophy, maps the course structure to SC-200 exam domains, and explains the BYOT model that makes every configuration you build yours to keep.

After M0.1, the remaining M0 subsections cover SC-200 exam strategy (M0.2), learning methodology (M0.3), M365 developer tenant setup (M0.4), Azure subscription and Sentinel workspace setup (M0.5), sample data loading and validation (M0.6), a module summary (M0.7), and a scenario-based knowledge check (M0.8).

Work through M0 in order. The lab setup in M0.4–M0.6 is required for every hands-on exercise from M2 onward. If you skip it, you will hit exercises you cannot complete.