Ridgeline Cyber

M365 Security Operations M365 Security: From Admin to Defender SOC Analyst Operations

Get Started Free

Introduction 0.1 Mission and Course Blueprint 0.1 Mission, Course Structure, and Who This Is For 0.2 SC-200 Exam Overview and Study Strategy 0.2 Who This Course Is For 0.3 Curriculum Breakdown 0.3 How to Learn from This Course 0.4 How to Learn from This Course 0.4 Lab Setup: M365 E5 Developer Tenant 0.5 Lab Environment, Resources, and Support 0.5 Lab Setup: Azure Subscription and Sentinel Workspace 0.6 Lab Setup: Sample Data and Validation 0.7 Module Summary 0.8 Check My Knowledge

Introduction 1.1 Introduction to Microsoft Defender XDR Threat Protection 1.2 Mitigate Incidents Using Microsoft Defender XDR 1.3 Remediate Risks with Microsoft Defender for Office 365 1.4 Manage Microsoft Defender for Endpoint Investigations 1.5 Mitigate Threats Using Microsoft Defender for Identity 1.6 Secure Cloud Apps with Microsoft Defender for Cloud Apps 1.7 Unified Portal Operations: Daily SOC Workflow 1.8 Cross-Product Incident Correlation 1.9 Module Summary 1.10 Check My Knowledge

Introduction 1.1 Defender for Endpoint 1.2 Defender for Office 365 1.3 Defender for Identity 1.4 Defender for Cloud Apps 1.5 Entra ID Protection 1.6 Microsoft Sentinel 1.7 Microsoft Purview 1.8 Microsoft Intune 1.9 Microsoft Defender XDR 1.10 How the Ecosystem Integrates 1.11 Licensing, Lab Setup, and Module Assessment

Introduction 2.1 How KQL Works and Key Tables 2.2 Core Operators 2.3 Time Functions and Joins 2.4 Parsing Semi-Structured Data 2.5 Investigation Patterns and Query Organization 2.6 Exam Relevance and References

Introduction 3.1 Portal Layout and Incident Hierarchy 3.2 Working the Incident Queue 3.3 Advanced Hunting 3.4 Response Actions and Automation 3.5 Notifications, RBAC, and Exam Relevance 3.6 Threat Analytics 3.7 Secure Score and Exposure Management 3.8 Email Investigation with Threat Explorer 3.9 Device Investigation Page 3.10 Module Assessment

Introduction 4.1 Two Tables, Not One 4.2 Key Fields in the Sign-In Log 4.3 Investigation Patterns 4.4 Reading a Sign-In Event 4.5 Volume Management and Exam Relevance 4.6 Conditional Access Analysis 4.7 Legacy Authentication Detection 4.8 Token Replay Investigation 4.9 Building Sign-In Baselines 4.10 Module Assessment

Introduction 5.1 What Sentinel Is and When You Need It 5.2 Workspace Architecture Decisions 5.3 Creating Your First Workspace 5.4 Log Types: Analytics vs Basic vs Archive 5.5 Cost Management and Optimization 5.6 Enabling the M365 Defender Connector 5.7 Enabling the Entra ID Connector 5.8 Content Hub and Solutions 5.9 Workspace Health and Monitoring 5.10 Module Assessment

Introduction 6.1 Construct KQL Statements for Microsoft Sentinel 6.2 Analyze Query Results Using KQL 6.3 Build Multi-Table Statements Using KQL 6.4 Work with String Data in KQL 6.5 Security-Specific KQL Patterns 6.6 Building an Investigation Query Library 6.7 KQL Performance Optimization and Query Debugging 6.8 Real-World Query Building Exercises 6.9 Module Summary 6.10 Check My Knowledge

Introduction 6.1 Building an Ingestion Strategy 6.2 Microsoft First-Party Connectors 6.3 Third-Party Connectors: Syslog and CEF 6.4 Data Collection Rules (DCRs) 6.5 Custom Logs and API Ingestion 6.6 Connector Troubleshooting 6.7 Connector Validation and Ongoing Monitoring 6.8 Module Assessment

Introduction 7.1 Onboarding Devices 7.2 Sensor and Client Configuration 7.3 Attack Surface Reduction (ASR) Rules 7.4 EDR and Automated Investigation Configuration 7.5 The Device Investigation Page 7.6 Device Isolation and Response Actions 7.7 Device Groups and RBAC 7.8 Device Compliance and Conditional Access 7.9 Threat and Vulnerability Management 7.10 Module Assessment

Introduction 8.1 Email Threat Landscape and Architecture 8.2 Anti-Phishing Policies 8.3 Safe Links Policies 8.4 Safe Attachments Policies 8.5 Zero-Hour Auto Purge (ZAP) 8.6 Email Authentication: SPF, DKIM, DMARC 8.7 Transport Rules for Security 8.8 Threat Explorer Deep Dive 8.9 Automated Investigation and Response for Email 8.10 Module Assessment

Introduction 13.1 Understanding AiTM Attacks 13.2 The Incident Briefing 13.3 Setting Up Your Investigation 13.4 Wave 1: Email Analysis 13.5 Wave 1: Sign-In Log Investigation 13.6 Wave 1: Post-Compromise Activity 13.7 Containment Playbook 13.8 Eradication and Verification 13.9 Waves 2-5: Campaign Tracking 13.10 Cross-Wave Correlation 13.11 Writing the CISO Report 13.12 Exchange Online Hardening 13.13 Detection Engineering 13.14 Lessons Learned 13.15 Module Assessment

Your progress

Loading...

6.9 Module Summary

8-12 hours · Module 6 · Free

Module 6 Summary

What you learned

This module taught you KQL from first principles to investigation-ready fluency. You progressed from writing your first SigninLogs query to constructing complex cross-table correlations, building reusable query libraries, and completing 5 investigation scenarios from scratch.

Skills checklist

After completing this module, you should be able to say:

I can write a KQL query from a blank editor for any investigation scenario
I understand the pipe model and can read any KQL query by following the data flow
I use where with the correct comparison operators (has over contains, in for lists)
I use project at the end of queries and understand why column order matters
I use extend to add computed columns (time classification, IP categorization, JSON extraction)
I use let for both simple parameterization and sub-query patterns
I use summarize with count, dcount, make_set, arg_max, and other aggregation functions
I use bin() for time-series grouping and render for visualization
I use union to combine tables and join (inner, leftouter, leftanti) to correlate tables
I can extract data from strings using split(), extract(), and parse
I know the 6 security-specific KQL patterns (failed-then-succeeded, first-time-seen, impossible travel, anomalous volume, IOC sweep, entity timeline)
I have started building a parameterized, commented query library
I can debug failing queries systematically using line elimination
I can optimize slow queries by reordering filters and choosing the right operators

SC-200 exam objectives covered

Domain 1 — Manage a SOC Environment:

Query logs in Microsoft Sentinel (covered in 6.1-6.4)

Domain 4 — Manage Security Threats:

Identify threats by using KQL (covered in 6.1-6.5)
Create custom hunting queries by using KQL (covered in 6.5-6.8)

KQL is also embedded in:

Domain 2: Analytics rules are KQL queries (Module 9 builds on this)
Domain 3: Investigation queries use KQL (Modules 11-13 build on this)

Bridge to Module 7

Module 7 (Configure Your Microsoft Sentinel Environment) uses the KQL skills you just built. You will query workspace data, configure watchlists (which are queryable with KQL), and integrate threat intelligence that you will correlate using KQL joins. The workspace configuration itself does not require KQL — but verifying it works does. Every validation query in Module 7 uses operators you learned here.

If you are following the recommended build order (Module 6 → Module 1), Module 1 (Mitigate Threats Using Microsoft Defender XDR) puts your KQL skills to work immediately in the Defender XDR Advanced Hunting interface.

← 6.8 Real-World Query Building Exercises 6.10 Check My Knowledge →

Ridgeline Cyber Defence

Practical M365 security training, toolkits, and services for the people who defend organisations.

Training

Courses Labs Resources Pricing

Company

About Subscribe ridgelinecyber.com

Legal

Privacy Policy Terms of Service Refund Policy

© 2026 Ridgeline Cyber Defence Ltd. All rights reserved.