Microsoft 365 Threat Hunting
Master Microsoft 365 Threat Hunting
Go beyond alerts and become a proactive hunter. Learn hypothesis-driven threat hunting across Microsoft 365, Entra ID, Defender XDR, and Sentinel; so you can find stealthy attackers, uncover hidden compromises, and hunt like a professional before threats become breaches.
What you'll be able to do
“Really appreciate how the training broke down and showed us how to find the stuff that matters and create effective trigger points for detections. Writing KQL queries to hunt for mailbox delegation changes and persistence mechanisms gave us a massive practical experience.”
Course overview
The Microsoft 365 Threat Hunting course is the core training track for hypothesis-driven hunting, designed for Detection Engineers, Security Engineers, and Hunt Team Leads. You'll gain hands-on expertise to:
By the end, you'll have the mindset, techniques, and practical skills to lead proactive threat hunting programs that significantly improve your organisation's detection and response capabilities.
Who this course is for
You're a Detection Engineer, Security Engineer, or Hunt Team Lead responsible for proactive, hypothesis-driven threat hunting in Microsoft 365 environments. This course is built for you if you want to:
In short: if you're ready to become a highly effective threat hunter who actively finds attackers before they cause damage, this course is for you.
What you'll learn
By the end of this Microsoft 365 Threat Hunting course you will be able to:
Key course takeaways
Lab Pack, Hypothesis-Driven Hunt Toolkit
Evidence (9 tables, 30-day window, ~4,000+ entries): SigninLogs, AuditLogs, OfficeActivity, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, DeviceFileEvents, DeviceRegistryEvents, with multiple attack chains hidden in legitimate baseline noise.
Hunt query library (~70 KQL files across 10 domains): Identity, Persistence, Escalation, Email, Exfiltration, Endpoint, Lateral Movement, Application, Ransomware, Insider, and Advanced correlation queries.
10 structured hypotheses with ATT&CK mapping and success criteria. Answers deliberately withheld, you must hunt.
Program artifacts: Charter, sprint template, maturity model, metrics template, hunt report templates, ATT&CK coverage matrix.
Things you need to know
What are the prerequisites for this course?
There are no prerequisites. The course teaches hypothesis-driven threat hunting from first principles. Familiarity with KQL and the Microsoft security stack will help you move faster, but neither is required. Every concept is explained at first use.
What are the device requirements?
A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) with Sentinel and Defender XDR for hands-on hunting. The lab pack provides synthetic evidence data if you cannot use a live environment.
How will the course benefit your career?
Threat hunting is one of the highest-value skills in security operations. Organisations need people who can proactively find threats that detection rules miss, not just triage alerts. This course gives you the methodology, the KQL fluency, and the hunt program framework to lead hunting operations.
The demand for threat hunters continues to grow as organisations recognise that detection rules alone cannot close the gap between attacker dwell time and discovery.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy hunt queries, detection rules, and playbooks in your production environment. You may not redistribute course content or share account credentials.
Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 2.1 | Last updated: June 2026
June 2026, v2.1: Course renamed to Microsoft 365 Threat Hunting.
June 2026, v2.0: Course page restructured. Lab pack with ~70 hunt queries across 10 domains, 10 structured hypotheses, 9 evidence tables, ATT&CK coverage matrix, and hunt program artifacts.
2026, v1.0: Course launch. 17 modules across 3 phases. Hypothesis-driven methodology across all hunt-domain modules.
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.