What This Course Builds

Deliverables, not descriptions

Every module in this course produces deployable assets. Detection rules that run in your Sentinel workspace. Investigation playbooks your team follows on the next shift. A metrics dashboard your CISO reviews. This section maps the four phases and twelve modules to the specific deliverables each produces.

Estimated time: 20 minutes.

Phase 1: Foundation (Modules 0-1, free)

Phase 1 is free. No subscription required. You're reading it now.

Module 0 introduces the discipline: what SOC operations is, the four functions, the failure patterns, the maturity spectrum, the pipeline, and the lab environment. Module 1 builds the complete operational foundation: operating model ADR, tier definitions, shift handover checklist, escalation framework, triage decision framework, operational metrics, SOC charter, tool stack integration, maturity assessment, and incident classification.

The Phase 1 deliverables are deployable immediately. The SOC charter is a document your CISO can sign this week. The triage framework is a playbook your L1 analysts can use next shift. The escalation triggers can be implemented without any tooling change, they're process decisions, not technology configurations. The metrics queries run in your Sentinel workspace today.

What "deployable" means concretely: the SOC charter is a single document that defines your operating model (internal, managed, or hybrid), your tier boundaries (what L1 owns vs L2 vs L3), your escalation triggers (the three conditions that move an alert from one tier to the next), your quality metrics (what you measure and how often), and your reporting cadence (who sees what numbers and when). It's not a template you fill in, it's a document you build section by section as you work through Module 1, using your own organization's context. By Section 1.7, the charter is complete. By Section 1.9, you've assessed your current maturity against it and identified the first improvement.

This is deliberate. Phase 1 demonstrates what the course delivers by giving you deployable artifacts, not by describing what you'll eventually build. If the free modules don't change how your SOC operates, the paid modules won't either.

Phase 2: Building Detections (Modules 2-6, premium)

Phase 2 builds the detection capability, 28 production KQL detection rules across four domains. Each rule includes the full specification: hypothesis, ATT&CK mapping, KQL query, false positive profile, tuning guidance, entity mapping, and response actions.

Module 2 teaches the detection engineering methodology, threat modeling, rule specification, the detection lifecycle. You start by mapping NE's threat landscape to ATT&CK techniques, scoring each technique by relevance and data availability, and building a prioritized detection backlog. The methodology is transferable, you apply the same process to your own environment.

Modules 3-6 each focus on a domain: identity threats (credential compromise, AiTM, token theft, device code phishing), email threats (BEC, inbox manipulation, phishing), endpoint threats (malware, LOLBins, lateral movement), and cloud application threats (OAuth abuse, consent grants, data exfiltration). Each rule follows the same lifecycle: hypothesis (what attack behavior are we detecting?), specification (what telemetry, what logic, what thresholds?), KQL implementation (the actual query), testing (does it fire on known-bad, stay quiet on known-good?), deployment (analytics rule configuration in Sentinel), and tuning notes (what FPs to expect and how to handle them).

The rules are designed for the Microsoft stack. Sentinel analytics rules with KQL queries, Defender XDR custom detections. You build, test, and deploy each rule in your own workspace. By the end of Phase 2, your ATT&CK coverage against relevant techniques has improved from the typical 10-15% to 45-60%. That number is measurable, the coverage query from Module 2 tracks it.

Phase 3: Investigation and Response (Modules 7-9, premium)

Phase 3 builds investigation and hardening capability. Module 7 delivers three complete investigation playbooks for the attack types most commonly seen on the Microsoft stack: AiTM credential phishing → BEC, ransomware, and insider threat. Each playbook is a step-by-step guide with KQL queries, evidence collection procedures, containment sequences, and documentation templates.

The playbooks are not flowcharts you hang on the wall. They're operational documents with specific queries for each investigation step. The AiTM playbook starts with the sign-in enrichment query you built in Module 1 and extends it through email pivot (did the attacker create inbox rules?), session analysis (what did they access with the stolen token?), lateral assessment (did they move to other accounts?), and containment (revoke sessions, reset credentials, remove malicious OAuth apps, purge inbox rules). Each step has the KQL query, the expected output, and the decision criteria. "if you see X, proceed to step 4; if you see Y, escalate to incident commander."

Module 8 builds four IR report templates for every audience: the SOC team (technical detail with full timeline and IOCs), the CISO (strategic summary with business impact and remediation status), the board (risk narrative with cost context and assurance language), and the regulator (notification assessment with legal timeline requirements). Module 9 provides 45 hardening controls across four M365 security domains with validation KQL queries, so you can verify each control is configured correctly, not just enabled.

Phase 4: Operational Maturity (Modules 10-12, premium)

Phase 4 builds the operational infrastructure that sustains everything from the first three phases. Module 10 delivers five Sentinel automation playbooks for enrichment, notification, and containment. Module 11 builds the metrics dashboard specification and CISO reporting framework. Module 12 establishes the threat intelligence program and continuous improvement cadence that sustains the detection library long-term.

The automation playbooks in Module 10 address the repetitive tasks that consume analyst time without requiring analyst judgment. Alert enrichment, pulling the user's recent sign-in history, the device compliance state, the user's risk score, takes 3-5 minutes per alert when done manually. An enrichment playbook that runs automatically when the alert fires adds that context before the analyst opens the incident. Multiply that saving across 200 alerts per week and the time recovered is significant, not because automation replaces the analyst, but because it eliminates the setup work so the analyst starts from a richer position.

Phase 4 is what separates a SOC that built good operational infrastructure from a SOC that sustains and improves it. The detection rules from Phase 2 need monthly tuning (Module 10). The metrics from Module 1 need dashboard visualization and reporting cadence (Module 11). The detection library needs ongoing threat intelligence to identify new coverage priorities (Module 12). Without Phase 4, the operational infrastructure built in Phases 1-3 degrades over time as the environment and threat landscape evolve.

The CISO reporting framework in Module 11 deserves specific attention. Most SOC teams report volume metrics (alerts closed, incidents resolved, SLA compliance) because those are the numbers the dashboard produces by default. The CISO reporting framework shifts to effectiveness metrics: detection coverage percentage (what proportion of relevant techniques do we detect?), false positive rate (what proportion of analyst effort goes to noise?), mean time to detect (how long do attacks exist before we catch them?), and external discovery rate (what proportion of incidents were found by someone outside the SOC?). These numbers tell the CISO whether the SOC is getting better, not just whether it's busy.