Microsoft 365 Threat Hunting

Master Microsoft 365 Threat Hunting

Go beyond alerts and become a proactive hunter. Learn hypothesis-driven threat hunting across Microsoft 365, Entra ID, Defender XDR, and Sentinel; so you can find stealthy attackers, uncover hidden compromises, and hunt like a professional before threats become breaches.

View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Develop and execute strong, hypothesis-driven threat hunting campaigns based on real attacker TTPs
Hunt proactively across Microsoft 365, Entra ID, endpoints, email, and cloud workloads using KQL and Defender XDR
Uncover stealthy threats, living-off-the-land techniques, and persistent compromises that evade detection
Translate hunting findings into high-fidelity detections, analytics rules, and automated playbooks
Build repeatable hunting playbooks and methodologies for your organisation
Lead effective threat hunting operations and clearly communicate results to technical and executive stakeholders
What students say about this course

“Really appreciate how the training broke down and showed us how to find the stuff that matters and create effective trigger points for detections. Writing KQL queries to hunt for mailbox delegation changes and persistence mechanisms gave us a massive practical experience.”

Ahmad
SEC402 | Premium tier | 17 modules across 3 phases | 36–40 hours at your own pace | 40 CPE credits | 5 free preview lessons - no account needed | Updated June 2026
Course Agenda View all 18 modules

Course overview

The Microsoft 365 Threat Hunting course is the core training track for hypothesis-driven hunting, designed for Detection Engineers, Security Engineers, and Hunt Team Leads. You'll gain hands-on expertise to:

Develop and execute strong hunting hypotheses based on real attacker behaviour and MITRE ATT&CK
Hunt across identities, endpoints, email, cloud, and Microsoft 365 data using KQL and Defender XDR
Uncover persistent threats, living-off-the-land techniques, and stealthy compromises
Build repeatable hunting playbooks and automate detection opportunities from your hunts

By the end, you'll have the mindset, techniques, and practical skills to lead proactive threat hunting programs that significantly improve your organisation's detection and response capabilities.

Who this course is for

You're a Detection Engineer, Security Engineer, or Hunt Team Lead responsible for proactive, hypothesis-driven threat hunting in Microsoft 365 environments. This course is built for you if you want to:

Move from reactive alert triage to leading professional-grade proactive hunting programs
Master hypothesis-driven techniques using KQL, Defender XDR, and Microsoft Sentinel
Find advanced threats that bypass your existing detections
Turn hunting discoveries into lasting improvements in your detection and response capabilities

In short: if you're ready to become a highly effective threat hunter who actively finds attackers before they cause damage, this course is for you.

What you'll learn

By the end of this Microsoft 365 Threat Hunting course you will be able to:

Build and execute high-quality hunting hypotheses grounded in MITRE ATT&CK and real-world intelligence
Perform advanced threat hunting across identities, endpoints, email, Teams, SharePoint, and cloud data
Use KQL effectively for hunting in Microsoft Sentinel and Defender XDR
Identify living-off-the-land, fileless, and stealthy attacker techniques in Microsoft 365 environments
Automate repetitive hunting tasks and convert successful hunts into production detections
Document, report, and operationalise hunting outcomes to mature your organisation's security program

Key course takeaways

Lead professional, hypothesis-driven threat hunting programs in Microsoft 365 environments
Master proactive hunting techniques that consistently uncover hidden threats and compromises
Translate hunting results into stronger detections, playbooks, and security improvements
Significantly reduce your organisation's dwell time by finding attackers earlier
Build reusable hunting methodologies, queries, and playbooks for your team
Become the go-to threat hunter who elevates your SOC from reactive to truly proactive

Lab Pack, Hypothesis-Driven Hunt Toolkit

Evidence (9 tables, 30-day window, ~4,000+ entries): SigninLogs, AuditLogs, OfficeActivity, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, DeviceFileEvents, DeviceRegistryEvents, with multiple attack chains hidden in legitimate baseline noise.

Hunt query library (~70 KQL files across 10 domains): Identity, Persistence, Escalation, Email, Exfiltration, Endpoint, Lateral Movement, Application, Ransomware, Insider, and Advanced correlation queries.

10 structured hypotheses with ATT&CK mapping and success criteria. Answers deliberately withheld, you must hunt.

Program artifacts: Charter, sprint template, maturity model, metrics template, hunt report templates, ATT&CK coverage matrix.

Threat Hunting Lab Pack
~100+ files · 9 evidence tables · 70 hunt queries · 10 hypotheses · 30-day evidence window
Download Lab Pack (.zip)

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches hypothesis-driven threat hunting from first principles. Familiarity with KQL and the Microsoft security stack will help you move faster, but neither is required. Every concept is explained at first use.

What are the device requirements?

A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) with Sentinel and Defender XDR for hands-on hunting. The lab pack provides synthetic evidence data if you cannot use a live environment.

How will the course benefit your career?

Threat hunting is one of the highest-value skills in security operations. Organisations need people who can proactively find threats that detection rules miss, not just triage alerts. This course gives you the methodology, the KQL fluency, and the hunt program framework to lead hunting operations.

The demand for threat hunters continues to grow as organisations recognise that detection rules alone cannot close the gap between attacker dwell time and discovery.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy hunt queries, detection rules, and playbooks in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.1  |  Last updated: June 2026

June 2026, v2.1: Course renamed to Microsoft 365 Threat Hunting.

June 2026, v2.0: Course page restructured. Lab pack with ~70 hunt queries across 10 domains, 10 structured hypotheses, 9 evidence tables, ATT&CK coverage matrix, and hunt program artifacts.

2026, v1.0: Course launch. 17 modules across 3 phases. Hypothesis-driven methodology across all hunt-domain modules.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.