In this module
Course Introduction
What this course is
This is a practical incident response training course for Microsoft-stack environments — Windows endpoints, Microsoft 365, Entra ID, Defender XDR, Sentinel. Twenty modules take you from foundations through full investigation capability. You will learn to investigate the incidents that actually happen in these environments in 2026 — AiTM credential phishing, business email compromise, ransomware, insider threat, advanced persistent threat — by crossing the cloud-endpoint boundary that most training treats as separate disciplines.
The course focuses on the investigation work that happens once an alert has been validated as a real incident — evidence collection, forensic analysis, cross-environment correlation, containment planning, and incident reporting. If you are newer to security, the prerequisites section below names the foundational knowledge you will want to have in place; the course itself stays focused on investigation so every minute of study goes into building that skill directly.
Every module is grounded in worked examples with real tool output, annotated KQL queries, and procedures you run yourself. There are no theoretical frameworks without worked application. There is no "here is a list of things to consider" without showing you the actual investigation. If a module teaches you to parse Prefetch files, the module contains the PECmd command, the raw output, the interpretation, and the investigation finding the output supports. If a module teaches you to investigate token theft, the module contains the SigninLogs KQL query, the suspicious entries it returns, the interpretation of each field, and the next evidence pivot.
What this course teaches
Twenty modules across five phases.
Phase 1 — Foundations (IR0, IR1). You are here now. IR0 establishes context and method. IR1 walks through installing and configuring every tool in the course toolkit.
Phase 2 — Windows Endpoint Forensics (IR2–IR7). Evidence acquisition, execution and persistence artifacts, filesystem and registry forensics, event log analysis, memory forensics with Volatility 3, lateral movement and credential theft investigation.
Phase 3 — Microsoft 365 Cloud Investigation (IR8–IR12). Identity compromise, Exchange Online forensics, SharePoint/OneDrive/Teams investigation, Entra ID and Azure AD persistence, Defender XDR as the unified investigation platform.
Phase 4 — Investigation Scenarios (IR13–IR16). Four complete worked investigations — ransomware, business email compromise, insider threat, advanced persistent threat. Each exercises every skill from Phases 2 and 3 in the context of a specific incident type.
Phase 5 — Reporting, Readiness, and Capstone (IR17–IR19). Technical and executive reporting, regulatory notifications under current law (GDPR, NIS2, SEC), IR readiness building, and an end-to-end capstone investigation with no guidance.
You can study the course linearly (IR0 → IR19) or in a modified order once Phase 1 is complete. If you come from a Windows operations background, Phase 2 first is natural. If you come from M365 administration, Phase 3 first is natural. Phase 4 requires both.
Who this course is for
Anyone who wants to learn Microsoft-stack incident response. The course is built for self-directed learners, and how much of it applies to your work depends on where you sit now and where you want to go.
The course will be especially useful if you recognize yourself in one of these profiles.
SOC analyst moving into incident response. One to three years of triage experience. You can read alerts, pivot into underlying evidence, and tell a real incident from a false positive. You want to own the investigation that happens after triage escalates — the analysis, the containment decisions, the report. This course is the training that takes you from triage to full response.
Microsoft 365 administrator who now owns security. You manage a tenant and you have just been told security is also your job. You know the portals, you know the services, you understand authentication and conditional access. You want to turn that administrative knowledge into investigation capability. This course gives you the investigation discipline — and the Phase 2 Windows forensics skills you need to investigate the endpoint side of cloud incidents.
Experienced endpoint forensic examiner adding cloud. You know Windows internals. You can read a Prefetch file without thinking about it. You want to add Microsoft 365 investigation to your existing forensic skill set. This course covers the cloud investigation work — sign-in log analysis, mailbox audit investigation, Entra ID persistence, cross-environment timeline construction.
If none of those profiles match yours, the course is still open to you. Read the prerequisites below and decide how much preparation you want to do before starting.
Prerequisites
Three specific prerequisites. Read each and self-assess honestly.
Windows. You should be comfortable with the Windows filesystem, the registry, Event Viewer, PowerShell basics, services, and scheduled tasks. You do not need to be a forensic examiner — the course teaches the forensics. You do need to recognize what a registry hive is, what an NTFS alternate data stream means, and how Windows event logging works. If HKLM\SOFTWARE, $MFT, or Security.evtx are unfamiliar terms, spend a week in Windows internals material before starting Phase 2. Mark Russinovich's _Windows Internals_ 7th edition covers far more than you need but is the standard reference.
Microsoft 365. You should be able to navigate the Entra ID portal, the Exchange admin center, the Defender XDR portal, and the Purview compliance portal. You should understand what Conditional Access policies do even if you have never configured one, what mailbox audit logging captures, and what the Defender incident queue shows. If M365 administration is entirely new, spend a week clicking through the portals before Phase 3 — you do not need configuration experience, you need navigational familiarity.
KQL. You should be able to write a basic KQL query — a where filter, a project to select columns, a summarize to aggregate. Every cloud investigation module contains production queries annotated line by line, so you will encounter advanced patterns in context. If KQL is entirely new, Microsoft Learn's free "Write your first query with KQL" primer covers what you need in two to three hours.
Nothing else is required. You do not need a background in computer science, malware reverse engineering, or network protocols. Specific depth in those areas makes some modules easier, but none is prerequisite.
Home lab setup
You can follow along with the course on a modest home lab. Everything in this section is free or already included in your Microsoft environment. The full walkthrough — step-by-step installation, configuration, and validation of every tool — is in IR1. This section is the minimum-viable setup you need to start Phase 2.
Workstation
Hardware. A Windows 11 workstation with 16 GB RAM, 100 GB free storage, and administrator access. A dedicated forensic VM is recommended but not required — a separate user profile on your main machine works for the learning exercises. If you plan to acquire memory images of several gigabytes, 32 GB RAM is more comfortable than 16 GB. A 500 GB SSD is recommended if you plan to work through Phase 2 with real triage collections.
Why Windows 11. Windows 10 reached end-of-support in October 2025. All Phase 2 forensic tooling assumes Windows 11 as the target and host. If your only available host is Windows 10, the tools still run — you will see different artifact paths in some cases.
Forensic toolkit (install for Phase 2 onward)
Six categories of tools, all free.
KAPE — Kroll Artifact Parser and Extractor. Targeted triage collection from Windows endpoints. Collects the critical forensic artifacts in two to five minutes rather than the forty-five to ninety minutes a full disk image takes. Free for non-commercial use including government, education, research, and internal corporate use on your own systems; paid commercial license required for third-party IR engagements. Download: kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape.
Eric Zimmerman Tools (EZTools). A full suite of Windows forensic parsers — one per artifact type. PECmd for Prefetch, EvtxECmd for event logs, MFTECmd for $MFT and $UsnJrnl, Registry Explorer and RECmd for registry hives, Timeline Explorer for synthesis. Free. Download: ericzimmerman.github.io.
Velociraptor. Open-source endpoint monitoring, live response, and remote collection. Deploys as server + client or as a standalone collector. Free and open source. Download: docs.velociraptor.app.
Volatility 3. Open-source memory forensics framework. Analyzes RAM dumps to identify running processes, injected code, network connections, and credential material. Free and open source. Install via pip install volatility3 or download from github.com/volatilityfoundation/volatility3.
WinPMem. Windows memory acquisition tool. Produces memory images that Volatility 3 and MemProcFS consume. Free and open source. Download: github.com/velocidex/WinPmem.
PowerShell 7 + Microsoft Graph PowerShell. PowerShell 7 replaces Windows PowerShell 5.1 for modern scripting. Microsoft Graph PowerShell replaces the deprecated AzureAD and MSOnline modules for Entra ID operations. Install PowerShell 7 from github.com/PowerShell/PowerShell and the Graph module with Install-Module Microsoft.Graph -Scope CurrentUser.
Microsoft 365 environment (install for Phase 3 onward)
M365 Developer Tenant. Free tenant with 25 E5 user licenses for non-production development and learning. Provides a full Entra ID tenant, Exchange Online, SharePoint, Teams, Defender XDR, and Purview audit — everything the Phase 3 modules use. Sign up: developer.microsoft.com/microsoft-365/dev-program. Setup takes about thirty minutes.
Azure free subscription. Linked to the developer tenant. Deploy a Sentinel workspace with the free data connectors (Entra ID sign-ins, Office 365 audit, Defender XDR). The free tier includes 5 GB per day of Log Analytics ingestion — enough for learning. Sign up at azure.microsoft.com/free after the developer tenant is active.
Sample data. Load the sample data packs provided in your developer tenant to populate sign-in logs, mailbox activity, and device events for practice queries. The first Phase 3 module (IR8) uses these samples for the worked KQL examples.
What this gets you
By the end of IR1, you will have a forensic workstation that can collect triage data from any Windows system, parse every forensic artifact the course covers, analyze memory dumps, and run live response. You will have an M365 tenant that mirrors the structure of a real enterprise — ready for the Phase 3 cloud investigation work. The lab will remain operational for the rest of the course and for any real investigation you work afterward.
What you can skip
You do not need to install every tool before starting IR0.1. You need nothing installed to complete Phase 1 — IR0 and IR1 are the foundations that tell you what you will install and why. Install the forensic toolkit after IR1. Set up the M365 developer tenant before Phase 3. Do not spend setup time on tools you will not touch for weeks.
How the course is structured
Every module from IR2 onward follows the same pattern. You will encounter these elements in every content subsection.
Objective header. The problem the subsection solves, the deliverable at the end, and the time estimate. Read this before the subsection and use it as the completion check.
Diagram. Every content subsection has a diagram — the concept, the process, the decision tree, or the relationship between evidence sources. Diagrams are not decoration; they are the concise statement of what the subsection is about.
Worked examples. Annotated KQL queries, walked-through tool output, real artifact data with interpretation. Every content subsection contains at least one complete worked practical example. This is the core of a practical training course — not the narrative prose around it.
Guided Procedures. Numbered steps with expected output and failure branches. When the subsection teaches a procedure — memory acquisition, a KQL hunt, a Velociraptor collection — you follow the steps and see both what should happen and what to do if something fails.
Decision Points. Operational scenarios with a choice and the correct call. These are the judgment calls real investigators make under pressure. You read the scenario, decide what you would do, and compare against the explanation.
Try-its. Exercises you do yourself. Four components: Setup, Task, Expected Result, and Debugging Branch. If your result does not match the expected result, the debugging branch tells you what to check.
Compliance Myths. Common misconceptions stated as myths with the production reality. If you hear a colleague state the myth, you know how to correct them.
Checkpoints. Three self-diagnostic questions at the end of each content subsection. Answer them without looking back at the text. If you cannot, the relevant section is named.
Artifact footers. An operational artifact you can extract from the subsection and use in your work — a framework, a query, a template, a procedure.
Module completion pattern
Each module has content subsections (typically six to twelve), a module summary, and a Check My Knowledge subsection with eight questions. The summary is a reference for later; the Check My Knowledge is the end-of-module assessment. If you cannot answer the majority of Check My Knowledge questions, re-read the module before moving on.
Time per phase
Phase 1 (IR0, IR1): two evenings for IR0, half a day to a day for IR1 depending on lab setup experience. Phase 2 (IR2–IR7): three weeks at six to eight hours per week. Phase 3 (IR8–IR12): three weeks at the same rate. Phase 4 (IR13–IR16): two to three weeks — the scenario modules are longer but more engaging. Phase 5 (IR17–IR19): one to two weeks, with IR19 the single longest module in the course.
Full course at six to eight hours per week: ten to twelve weeks. Accelerated at fifteen hours per week: six to seven weeks.
Start here
Go to IR0.1 — How Real Incidents Actually Unfold next. It walks a real Microsoft-stack incident end to end — a ninety-minute timeline across four environments — and gives you the concrete shape the rest of the course is built to investigate. After IR0.1, the remaining IR0 subsections cover the reasoning pattern experienced responders use (IR0.2 How Investigators Think), the shared framework vocabulary for reports and audit conversations (IR0.3 How You Describe the Work), the toolkit the course uses and the adjacent skills worth building afterward (IR0.4 The Toolkit and What Comes Next), a concise module recap (IR0.5 Module Summary), and a scenario-based check of what the module taught (IR0.6 Check My Knowledge).
Work through IR0 in order. The reasoning pattern IR0.2 teaches is the mental model every subsequent module applies.