0.3 Curriculum Breakdown

How the course works. Who it is for. How to navigate a text-only format. How to set up your lab environment. Reading time: 10 minutes.

Complete map of all 9 components: Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Entra ID Protection, Microsoft Sentinel, Microsoft Purview, Intune, and Defender XDR. For each component: what it does, its sub-components, the KQL tables it populates, how it connects to the ecosystem, and what license unlocks it. Includes a 10-step AiTM attack walkthrough through every component. Licensing reference table and lab setup instructions.

The pipe model. Core operators (where, project, extend, summarize, sort, take). String matching (has vs contains with performance analysis). Time functions (ago, bin, datetime_diff, hourofday). Table joins (innerunique, inner, leftouter, anti). Parsing semi-structured data (parse_json, mv-expand, parse_url). Seven complete investigation query patterns (account triage, brute force, password spray, impossible travel, token replay, inbox rules, phishing campaign). KQL cheat sheet reference cards. Every query includes an "Expected Output" block explaining what the results mean.

Portal layout and daily workflow. The incident-alert-evidence hierarchy. Incident queue triage (60-second decision framework). Alert tuning and suppression rules. Advanced hunting (KQL in the portal, custom detection rules). Response actions by product with blast radius analysis. Attack disruption. Threat Analytics for proactive threat assessment. Threat Explorer for email investigation. Device investigation page and timeline reading. RBAC tiers. Includes an interactive portal simulation.

The two sign-in tables (interactive vs non-interactive) and why both matter. The eight fields you check on every sign-in. Error code reference (50126, 50053, 50074, 53003). Investigation patterns with KQL. A 5-step animated walkthrough of reading a sign-in event field by field. Conditional access policy analysis (parsing CA JSON, finding gaps, analyzing report-only policies). Legacy authentication detection and migration planning. Token replay investigation (the anti-join detection pattern). Building sign-in baselines for proactive monitoring.

Complete incident response walkthrough based on a real five-wave AiTM phishing campaign (sanitized). 15 subsections covering: AiTM mechanics and phishing kit analysis, incident briefing with MITRE ATT&CK mapping, investigation workspace setup, email campaign analysis (Threat Explorer + KQL), sign-in log token replay detection (anti-join pattern), 6-check post-compromise analysis (inbox rules, forwarding, OAuth, MailItemsAccessed, files, lateral phishing), 7-step containment playbook with verification queries, eradication and 7-day monitoring, wave-by-wave campaign tracking, cross-wave correlation and IOC extraction, CISO report writing with executive summary template, Exchange Online hardening (conditional access, transport rules, FIDO2 planning), 6 Sentinel detection rules with MITRE mapping, formal lessons learned process, and a 15-question final assessment. 14,000+ words. Every KQL query includes expected output with analyst guidance.