0.2 Prerequisites and What You Need

45 minutes · Module 0 · Free

Prerequisites and What You Need

Knowledge prerequisites

This course assumes you have:

Working knowledge of Microsoft Sentinel. You can navigate the Sentinel portal, run KQL queries in the Logs blade, understand how analytics rules create incidents, and know how to configure data connectors. If you need this foundation, complete M365 Security Operations Modules 0–6 first.

KQL proficiency. You can write queries using where, extend, summarize, join, let, and make_set. You understand time-based filtering, entity grouping, and cross-table correlation. Module 6 of the M365 course builds this skill. The detection rules in Modules 3–6 of this course use intermediate-to-advanced KQL — if you cannot read and modify a 30-line KQL query, invest time in KQL practice before starting Phase 2.

Familiarity with the M365 security stack. Defender XDR, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Entra ID. You do not need to be an expert in each, but you should know what data each product generates and where it appears in Sentinel.

Lab environment

You need a Microsoft Sentinel workspace with log data for the hands-on exercises. Two options:

Option 1: M365 Developer Tenant (recommended for learning)

A free E5 developer tenant from developer.microsoft.com with 25 user licenses. Connect an Azure free subscription with a Sentinel workspace. Enable the Entra ID, Microsoft 365, and Defender XDR data connectors. Load sample data packs for realistic users and activity.

If you completed M365 Security Operations Module 0, your tenant is already configured. Use the same environment.

Option 2: Your production environment (if permitted)

If your organization’s security policy allows you to deploy test analytics rules in your production Sentinel workspace, you can use real data. This produces the most realistic learning experience — your detection rules run against actual sign-in logs, email events, and endpoint telemetry.

Deploy test rules at Informational severity to avoid alert noise. Remove test rules when you deploy the production versions.

Tools

Sentinel workspace access — Security Contributor role for analytics rule deployment
KQL query editor — Sentinel Logs blade or Azure Data Explorer
Text editor — for writing detection rule specifications and playbook documentation
A document repository — for storing your completed assets (SharePoint, Git, Confluence, or even a local folder)

Try it yourself

Verify your lab environment is ready before proceeding:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Check which log tables have data in your Sentinel workspace
union isfuzzy=true
    (SigninLogs | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="SigninLogs"),
    (OfficeActivity | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="OfficeActivity"),
    (DeviceProcessEvents | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="DeviceProcessEvents"),
    (AuditLogs | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="AuditLogs"),
    (SecurityIncident | where TimeGenerated > ago(30d) 
        | summarize Count=count() | extend Table="SecurityIncident")
| project Table, Count
| sort by Table asc

You need at minimum: SigninLogs and AuditLogs for Phase 2 identity detections. OfficeActivity for email detections. DeviceProcessEvents for endpoint detections. If any table shows zero, the corresponding data connector needs configuration — refer to M365 Security Operations Module 8.

You're reading the free modules of SOC Operations

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← 0.1 Mission, Course Structure, and Who This Is For 0.3 How to Learn from This Course →