Ridgeline Cyber

M365 Security Operations M365 Security: From Admin to Defender SOC Analyst Operations

Get Started Free

Introduction 0.1 Mission and Course Blueprint 0.1 Mission, Course Structure, and Who This Is For 0.2 SC-200 Exam Overview and Study Strategy 0.2 Who This Course Is For 0.3 Curriculum Breakdown 0.3 How to Learn from This Course 0.4 How to Learn from This Course 0.4 Lab Setup: M365 E5 Developer Tenant 0.5 Lab Environment, Resources, and Support 0.5 Lab Setup: Azure Subscription and Sentinel Workspace 0.6 Lab Setup: Sample Data and Validation 0.7 Module Summary 0.8 Check My Knowledge

Introduction 1.1 Introduction to Microsoft Defender XDR Threat Protection 1.2 Mitigate Incidents Using Microsoft Defender XDR 1.3 Remediate Risks with Microsoft Defender for Office 365 1.4 Manage Microsoft Defender for Endpoint Investigations 1.5 Mitigate Threats Using Microsoft Defender for Identity 1.6 Secure Cloud Apps with Microsoft Defender for Cloud Apps 1.7 Unified Portal Operations: Daily SOC Workflow 1.8 Cross-Product Incident Correlation 1.9 Module Summary 1.10 Check My Knowledge

Introduction 1.1 Defender for Endpoint 1.2 Defender for Office 365 1.3 Defender for Identity 1.4 Defender for Cloud Apps 1.5 Entra ID Protection 1.6 Microsoft Sentinel 1.7 Microsoft Purview 1.8 Microsoft Intune 1.9 Microsoft Defender XDR 1.10 How the Ecosystem Integrates 1.11 Licensing, Lab Setup, and Module Assessment

Introduction 2.1 How KQL Works and Key Tables 2.2 Core Operators 2.3 Time Functions and Joins 2.4 Parsing Semi-Structured Data 2.5 Investigation Patterns and Query Organization 2.6 Exam Relevance and References

Introduction 3.1 Portal Layout and Incident Hierarchy 3.2 Working the Incident Queue 3.3 Advanced Hunting 3.4 Response Actions and Automation 3.5 Notifications, RBAC, and Exam Relevance 3.6 Threat Analytics 3.7 Secure Score and Exposure Management 3.8 Email Investigation with Threat Explorer 3.9 Device Investigation Page 3.10 Module Assessment

Introduction 4.1 Two Tables, Not One 4.2 Key Fields in the Sign-In Log 4.3 Investigation Patterns 4.4 Reading a Sign-In Event 4.5 Volume Management and Exam Relevance 4.6 Conditional Access Analysis 4.7 Legacy Authentication Detection 4.8 Token Replay Investigation 4.9 Building Sign-In Baselines 4.10 Module Assessment

Introduction 5.1 What Sentinel Is and When You Need It 5.2 Workspace Architecture Decisions 5.3 Creating Your First Workspace 5.4 Log Types: Analytics vs Basic vs Archive 5.5 Cost Management and Optimization 5.6 Enabling the M365 Defender Connector 5.7 Enabling the Entra ID Connector 5.8 Content Hub and Solutions 5.9 Workspace Health and Monitoring 5.10 Module Assessment

Introduction 6.1 Construct KQL Statements for Microsoft Sentinel 6.2 Analyze Query Results Using KQL 6.3 Build Multi-Table Statements Using KQL 6.4 Work with String Data in KQL 6.5 Security-Specific KQL Patterns 6.6 Building an Investigation Query Library 6.7 KQL Performance Optimization and Query Debugging 6.8 Real-World Query Building Exercises 6.9 Module Summary 6.10 Check My Knowledge

Introduction 6.1 Building an Ingestion Strategy 6.2 Microsoft First-Party Connectors 6.3 Third-Party Connectors: Syslog and CEF 6.4 Data Collection Rules (DCRs) 6.5 Custom Logs and API Ingestion 6.6 Connector Troubleshooting 6.7 Connector Validation and Ongoing Monitoring 6.8 Module Assessment

Introduction 7.1 Onboarding Devices 7.2 Sensor and Client Configuration 7.3 Attack Surface Reduction (ASR) Rules 7.4 EDR and Automated Investigation Configuration 7.5 The Device Investigation Page 7.6 Device Isolation and Response Actions 7.7 Device Groups and RBAC 7.8 Device Compliance and Conditional Access 7.9 Threat and Vulnerability Management 7.10 Module Assessment

Introduction 8.1 Email Threat Landscape and Architecture 8.2 Anti-Phishing Policies 8.3 Safe Links Policies 8.4 Safe Attachments Policies 8.5 Zero-Hour Auto Purge (ZAP) 8.6 Email Authentication: SPF, DKIM, DMARC 8.7 Transport Rules for Security 8.8 Threat Explorer Deep Dive 8.9 Automated Investigation and Response for Email 8.10 Module Assessment

Introduction 13.1 Understanding AiTM Attacks 13.2 The Incident Briefing 13.3 Setting Up Your Investigation 13.4 Wave 1: Email Analysis 13.5 Wave 1: Sign-In Log Investigation 13.6 Wave 1: Post-Compromise Activity 13.7 Containment Playbook 13.8 Eradication and Verification 13.9 Waves 2-5: Campaign Tracking 13.10 Cross-Wave Correlation 13.11 Writing the CISO Report 13.12 Exchange Online Hardening 13.13 Detection Engineering 13.14 Lessons Learned 13.15 Module Assessment

Your progress

Loading...

1.9 Module Summary

10-14 hours · Module 1 · Free

Module 1 Summary

What you learned

This module taught you to operate the Microsoft Defender XDR platform — the unified security interface that every SOC analyst uses daily. You learned the four Defender products and their detection domains, the incident lifecycle from triage to closure, investigation techniques for email, endpoint, identity, and cloud app threats, and the operational workflow that ties it all together.

Skills checklist

After completing this module, you should be able to say:

I understand the four Defender pillars (Endpoint, Office 365, Identity, Cloud Apps) and what each detects
I can navigate the Defender XDR portal and find the incident queue, Advanced Hunting, Threat Explorer, and Action center
I can triage an incident in 5 minutes using the assessment framework
I understand how XDR correlation groups alerts into incidents
I can investigate email threats using Threat Explorer and take remediation actions (soft delete, block)
I can read a device timeline and interpret process trees for malware detection
I understand Defender for Identity detections (Kerberoasting, pass-the-hash, reconnaissance)
I can investigate cloud app threats using CloudAppEvents (inbox rules, OAuth abuse)
I know the daily SOC shift-start routine (queue, handover, pipeline health, threat analytics)
I can build cross-product KQL queries that trace an attack across email, identity, endpoint, and cloud apps
I can document investigation progress in incident comments for handover

SC-200 exam objectives covered

Domain 1 — Manage a SOC Environment:

Configure settings in Microsoft Defender XDR (1.1)
Manage automated investigation and response (1.2)
Configure automatic attack disruption (1.2)

Domain 3 — Manage Incident Response:

Investigate and remediate threats by using Defender for Office 365 (1.3)
Respond to Defender for Endpoint alerts, device timelines, response actions (1.4)
Investigate identity alerts from Defender for Identity (1.5)
Investigate cloud app risks from Defender for Cloud Apps (1.6)

Bridge to Module 7

Module 7 (Configure Your Microsoft Sentinel Environment) extends your investigation capabilities beyond the Defender XDR portal. Sentinel ingests data from Defender XDR AND from third-party sources — firewalls, Linux servers, custom applications — giving you a broader view. The KQL skills from Module 6 and the investigation patterns from this module carry directly into the Sentinel environment.

← 1.8 Cross-Product Incident Correlation 1.10 Check My Knowledge →

Ridgeline Cyber Defence

Practical M365 security training, toolkits, and services for the people who defend organisations.

Training

Courses Labs Resources Pricing

Company

About Subscribe ridgelinecyber.com

Legal

Privacy Policy Terms of Service Refund Policy

© 2026 Ridgeline Cyber Defence Ltd. All rights reserved.