Sign In
In this module

0.7 Module Summary

45 minutes · Module 0 · Free

Module 0 Summary

What you accomplished in this module

Module 0 is the only module in the course that does not teach security operations skills directly. Its purpose is to ensure you have the context, the environment, and the learning approach needed to extract maximum value from every module that follows. If you completed every subsection and verification checklist, you have built the foundation that the entire course stands on.

In subsection 0.1, you learned the course mission — bridging the gap between Microsoft Learn product walkthroughs and production SOC competence. You understood who the course is for: career-changers entering security operations, IT professionals expanding into security, and MSP technicians responsible for client security. You reviewed the prerequisite knowledge inventory and confirmed you have the networking, identity, M365, and operating system fundamentals needed for the technical content. You learned the 16-module course structure: 11 core modules mirroring the SC-200 learning paths plus 5 unique real-world investigation modules. And you understood why the module build order matters — the course is a progression, not a reference library.

In subsection 0.2, you learned the SC-200 exam structure: four domains with specific weight ranges, 40-60 scenario-based questions in 120 minutes, a 700/1000 passing score, and annual renewal via a free online assessment. You reviewed every sub-objective within each domain and understood which course modules cover which exam skills. You learned the study strategy: follow the module order rather than studying domain by domain, practice with scenarios rather than memorizing facts, and use the free Microsoft practice assessment to measure progress. You also learned the exam day logistics and what to expect during both online proctored and testing center experiences.

In subsection 0.3, you learned how to learn from text-based technical training: why text is more durable and precise than video for security operations skills, the active learning approach (read with your lab open, build queries incrementally, attempt exercises before revealing solutions, reason through quiz answers), pacing guidance (one subsection per study session, 8-10 months for part-time learners), note-taking methodology, and spaced repetition strategy for long-term retention.

In subsection 0.4, you set up your M365 E5 lab environment. You chose from three options (Developer Program instant sandbox, E5 trial, or paid license), created your tenant, configured test users with the Northgate Engineering naming convention, and verified access to the M365 admin center, Defender XDR portal, and Entra admin center. Your lab now has at least six test users with E5 licenses and active mailboxes.

In subsection 0.5, you created the Azure infrastructure for Microsoft Sentinel. You obtained an Azure subscription linked to your M365 tenant, created a Log Analytics workspace, enabled Sentinel on the workspace, connected the Microsoft Defender XDR data connector with event tables selected, and connected the Entra ID diagnostic settings for sign-in and audit logs. Your Sentinel workspace is now receiving data from your M365 environment.

In subsection 0.6, you populated your lab with data for investigation practice. You generated sign-in events by logging in as test users, created email data by sending test messages, installed Content Hub solutions for pre-built analytics rules and workbooks, and ran validation queries to confirm data is flowing into your workspace. Your lab environment is now producing the security telemetry that every hands-on exercise in the course depends on.

Skills checklist

After completing this module, you should be able to confirm all of the following. If any item is uncertain, return to the relevant subsection before starting Module 1.

I have a working M365 E5 lab environment with at least six test users and active mailboxes. I can sign into the M365 admin center, Defender XDR portal, and Entra admin center with my admin account. I have a Microsoft Sentinel workspace with the Defender XDR and Entra ID data connectors active and event tables selected. I can run a KQL query in Sentinel Logs and get results showing data from my connected sources. I understand the four SC-200 exam domains and their approximate question weight. I know which course modules cover which exam domains. I understand the active learning approach and I have committed to running every query and attempting every exercise in my lab environment. I have a realistic study pace in mind based on my available time — one subsection per session for part-time study, or two per session for dedicated study.

SC-200 objectives covered

Module 0 does not directly cover SC-200 exam objectives. It provides the infrastructure, context, and study strategy needed for all subsequent modules. The lab environment you built here is used in every module from Module 1 onward. The study strategy aligns the course progression with the exam domains so that by Module 12, you have covered every testable skill.

What comes next

The recommended build order starts with Module 6: Create Queries for Microsoft Sentinel Using KQL. Module 6 teaches the query language that powers everything in the course — Advanced Hunting queries, Sentinel analytics rules, threat hunting, workbook visualizations, and investigation workflows. Every technical module after Module 6 uses KQL extensively. Learning KQL first means you can focus on the security concepts in subsequent modules rather than struggling with syntax.

After Module 6, proceed to Module 1: Mitigate Threats Using Microsoft Defender XDR. Module 1 teaches the investigation platform — the Defender XDR portal where you will spend most of your operational time as a SOC analyst. With KQL skills from Module 6 and platform knowledge from Module 1, you have the two foundational capabilities that every subsequent module builds on.

If you prefer to see the Defender XDR portal in action before learning KQL, starting with Module 1 is also a valid approach. Module 1 includes KQL queries with line-by-line explanations, so you can follow along even without completing Module 6 first. However, the recommended order (Module 6 first) produces deeper understanding because you arrive at Module 1 already fluent in the query language.

Your lab environment is ready. Your study approach is defined. The foundation is set. Begin.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've set up your M365 tenant and learned the Defender XDR unified portal.

Module 0 got your M365 developer tenant configured with sample data. Module 1 took you through the Defender XDR unified incident queue across endpoint, email, identity, and cloud apps. Now you investigate every major M365 attack type and deploy the detections that catch them next time.

  • 15 investigation and configuration modules — Defender for Endpoint, Purview, Defender for Cloud, Security Copilot, Sentinel workspace design, log ingestion, analytics rules, and threat hunting
  • 5 named attack investigations — AiTM credential phishing, BEC and financial fraud, consent phishing and OAuth grant abuse, token replay and session hijacking, insider threat
  • KQL from fundamentals through advanced hunting — dedicated modules on query language, cross-table joins, statistical analysis, and threat hunting queries
  • SC-200 exam objectives fully covered — every module maps to the January 2026 SC-200 update. The certification is the side effect of operational competence, not the goal
  • Production artefacts per module — detection rules, investigation playbooks, and hardening checklists you deploy to your own tenant
Unlock the full course with Premium See Full Syllabus
← Previous Next →