0.1 Mission, Course Structure, and Who This Is For

Mission, Course Structure, and Who This Is For

What this course builds

SOC Operations is a structured training course that builds a production security operations capability module by module. This is not a theoretical overview of how SOCs work. It is a construction project — each module adds a functional layer to a working capability.

By the time you complete all 12 modules, you will have built:

• A SOC organizational framework: operating model, analyst tiers, escalation paths, charter, and metrics
• A detection engineering methodology with a managed backlog and deployment pipeline
• 28 production KQL detection rules across identity, email, endpoint, and cloud domains
• 3 complete investigation playbooks for AiTM credential phishing, BEC financial fraud, and ransomware
• 4 incident response report templates for every audience from the team to the board
• 45 hardening controls with validation queries across four M365 security domains
• 5 Sentinel automation playbook templates for enrichment, notification, and containment
• A metrics dashboard, CISO reporting framework, and continuous improvement methodology
• A threat intelligence operations program with collection, analysis, and hunting

Every module produces deployable assets. Detection rules from Module 3 should be running in your Sentinel workspace before you start Module 4. The course is designed for immediate operational application, not deferred deployment.

Who this course is for

SOC analysts and detection engineers working in Microsoft 365 environments who want to move beyond ad hoc alert response to structured, repeatable, measurable security operations. You already understand Sentinel and KQL. This course gives you the methodology, the rules, and the operational infrastructure.

Security operations managers building or maturing a team. The course provides the complete organizational framework (charter, tiers, metrics, maturity model) alongside the technical assets (detection rules, playbooks, automation).

IT professionals transitioning into dedicated security roles who have completed the M365 Security Operations course and are ready to build the operational infrastructure for their environment.

Course structure

The course follows four phases:

Phase 1 — Foundation (Modules 1–2). SOC operating models, analyst tiers, escalation paths, metrics, and the SOC charter. Detection engineering methodology — the lifecycle, threat modeling, MITRE ATT&CK mapping, rule specifications, and detection-as-code workflows.

Phase 2 — Building Detections (Modules 3–6). Four modules building 28 production KQL detection rules across identity, email, endpoint, and cloud domains. Each rule includes a full specification, annotated KQL, false positive analysis, tuning guidance, and response actions.

Phase 3 — Investigation & Response (Modules 7–8). Three complete investigation playbooks with the architecture framework for building your own. Four IR report templates with regulatory notification assessment and post-incident review methodology.

Phase 4 — Operational Maturity (Modules 9–12). Hardening baselines, Sentinel automation, metrics dashboards, and a threat intelligence program. The layer that matures a functioning SOC into a measurably improving one.