0.2 Who This Course Is For
The Ideal Learner
This course is designed for a specific person. If you recognize yourself in any of these profiles, you are in the right place.
Profile A: SOC Analyst (Tier 1-2) in a Microsoft environment
- You work in a SOC that uses Defender XDR, Sentinel, or both
- You triage alerts daily but want deeper investigation skills
- You can navigate the Defender portal but do not write KQL from scratch
- You want to pass the SC-200 but need practical skills, not just exam prep
Profile B: IT Administrator transitioning into security
- You manage an M365 tenant and have been told you are now responsible for security
- You understand Exchange Online, Entra ID, and Intune from an admin perspective
- You have not investigated a security incident before
- You need to learn what to do when an alert fires, not just how to configure policies
Profile C: Security professional from a non-Microsoft background
- You have security experience (Splunk, CrowdStrike, Palo Alto, etc.) but are moving to a Microsoft environment
- You understand security concepts but need to learn the Microsoft-specific tools and data sources
- You know what to look for but not where to find it in Defender XDR and Sentinel
What you need before starting
Required: Basic understanding of what Active Directory and Azure AD (Entra ID) are. You do not need to be an expert — you need to know that users authenticate against a directory service and that M365 uses Entra ID for this.
Helpful but not required: Experience with any query language (SQL, Splunk SPL, PowerShell). KQL is covered from scratch in Module 2, but prior query experience accelerates learning.
Not required: Prior Microsoft security product experience. Module 1 maps the entire ecosystem from the ground up.
Core Skills You Will Acquire
By the end of this course, you will be able to:
| Skill | Where taught | SC-200 domain |
|---|---|---|
| Write KQL queries against any Microsoft security data table | Modules 2, 4, 23 | Manage a SOC Environment |
| Investigate credential phishing, BEC, and token replay attacks end-to-end | Modules 13-16 | Manage Incident Response |
| Configure Sentinel workspaces, data connectors, and analytics rules | Modules 5-6, 10 | Manage a SOC Environment |
| Build custom detection rules from investigation findings | Modules 10, 13 | Configure Protections |
| Execute containment actions (session revocation, device isolation, email remediation) | Modules 3, 13, 17 | Manage Incident Response |
| Write CISO-facing incident reports with actionable recommendations | Module 13, 22 | Manage Incident Response |
| Hunt proactively for threats not caught by existing detections | Modules 23-24 | Manage Security Threats |
| Automate response with Sentinel playbooks and automation rules | Module 25 | Configure Protections |