Get Started Free

0.1 Mission and Course Blueprint

45 minutes · Module 0 · Free

Mission

This course teaches you to investigate security incidents in Microsoft 365 environments using the tools, data sources, and query language that production SOC teams use daily. By the end, you will be able to detect credential phishing, trace account compromise through sign-in logs, contain active threats, build detection rules, and write incident reports — the complete workflow of a Microsoft security operations analyst.

The course is mapped to every objective on the SC-200 (Microsoft Security Operations Analyst) certification exam, January 2026 update. It is not an exam cram. It teaches the skills the exam tests, in the context of real investigation scenarios, so that passing the exam is a side effect of genuine competence.

Course Blueprint

The course is organized into five phases. Each phase builds on the previous one.

COURSE STRUCTURE — 28 MODULES ACROSS 5 PHASESPhase 1: Foundations (FREE)Modules 0-4 — Ecosystem, KQL, Portal, Sign-In LogsNo account required. Open access.Phase 2: Configuration (PAID)Modules 5-12 — Sentinel, Defender, PoliciesBuild and configure the security stack.Phase 3: Investigation Scenarios (PAID)Modules 13-22 — AiTM, BEC, Ransomware, InsiderEnd-to-end investigations from real incidents.Phase 4: Threat Hunting (PAID)Modules 23-28 — Hunting, Automation, ReportingProactive detection and advanced operations.Phase 5: Ongoing — 1 new module + 1 scenario challenge per month

Phase 1 is completely free

Modules 0 through 4 require no account, no payment, and no email. Read them, run the queries, complete the exercises. If the depth and quality convince you the paid content is worth it, subscribe. If not, you still learned KQL and sign-in log investigation for free.

How the phases connect

Phase 1 teaches the language (KQL) and the data (sign-in logs, email events, device telemetry). Phase 2 teaches how to configure the tools that generate that data. Phase 3 is the core — complete investigation scenarios where you use everything from Phases 1 and 2 to investigate real attacks. Phase 4 teaches proactive hunting and automation for analysts who want to go beyond reactive investigation.

You can enter at any phase if you already have the prerequisite skills. But the course is designed to be taken in order — each module references concepts and queries from earlier modules.

0.1 Mission, Course Structure, and Who This Is For →