Documentation & Tools →
Sign In

Microsoft 365 Security Automation and Orchestration

Master Microsoft 365 Security Automation and Orchestration

Scale your security operations without scaling headcount. Design, build, and operationalise powerful automation and orchestration workflows using Microsoft Sentinel, Logic Apps, Playbooks, and Defender XDR, so you can respond to threats faster, reduce manual work, and run a more efficient, effective SOC.

Preview Course See Pricing
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Design and build end-to-end security automation workflows that scale your SOC without adding headcount
Create powerful playbooks in Microsoft Sentinel using Logic Apps, KQL, and automation connectors
Automate alert triage, enrichment, investigation, and response actions across Microsoft security tools
Orchestrate cross-tool and cross-platform responses (M365, Entra ID, Defender XDR, endpoints, and external systems)
Implement SOAR capabilities that reduce manual work and accelerate mean time to respond (MTTR)
Measure, monitor, and continuously improve your security automation maturity and ROI
SEC202 | Premium tier | 14 modules across 3 tiers | 36–40 hours at your own pace | 36 CPE credits | 6 free preview lessons - no account needed | Updated June 2026
Course Agenda View all 16 modules

Course overview

The Microsoft 365 Security Automation and Orchestration course is built specifically for Security Engineers, Detection Engineers, and Architects who need to scale operations without scaling headcount. You'll gain hands-on expertise to:

Design and implement automated detection, investigation, and response workflows
Build powerful playbooks in Microsoft Sentinel using Logic Apps and KQL
Orchestrate cross-tool actions across Microsoft 365, Entra ID, Defender XDR, and external systems
Create SOAR capabilities that reduce alert fatigue and accelerate incident response

By the end, you'll have the practical skills and engineering mindset to automate repetitive tasks, standardise response processes, and dramatically improve your organisation's security efficiency and effectiveness.

Who this course is for

You're a Security Engineer, Detection Engineer, or Security Architect who needs to scale security operations without scaling headcount. This course is built for you if you want to:

Move from manual, repetitive security tasks to fully automated and orchestrated workflows
Master Microsoft Sentinel playbooks, Logic Apps, and SOAR techniques for real-world operations
Automate detection engineering, incident response, and threat hunting processes
Dramatically improve SOC efficiency while reducing alert fatigue and burnout

In short: if you're ready to engineer automation that lets your team do more with less and respond to threats at machine speed, this course is for you.

What you'll learn

By the end of this Microsoft 365 Security Automation and Orchestration course you will be able to:

Design and implement automation strategies for detection, investigation, and response
Build advanced playbooks in Microsoft Sentinel using Logic Apps, KQL, and connectors
Orchestrate automated actions across Microsoft Defender XDR, Entra ID, Microsoft 365, and external tools
Automate threat enrichment, containment, eradication, and recovery processes
Create reusable automation assets, templates, and best practices for your organisation
Measure automation effectiveness and continuously mature your SOAR capabilities

Key course takeaways

Build production-grade security automation and orchestration that scales your operations efficiently
Master Microsoft Sentinel playbooks and Logic Apps to automate repetitive SOC tasks
Significantly reduce manual effort, alert fatigue, and mean time to respond
Create reliable, auditable automated workflows for detection, investigation, and response
Develop a reusable automation library that delivers long-term ROI for your security program
Become the Security Automation expert who transforms your SOC from reactive to highly efficient and proactive

Lab Pack — Build Real Automation in Your Own Sentinel Workspace

Downloadable lab pack with everything you need to build, test, and deploy the SA automation stack in your own Microsoft Sentinel environment.

Lab environment (free): M365 E5 developer tenant + Azure free subscription + Sentinel workspace with 5 GB/day free ingestion. No local VMs required — all automation runs in the cloud.

Watchlist seed data (5 CSVs): VIP-Users (executive accounts requiring approval gates), Known-Safe-IPs (corporate network ranges), High-Risk-Assets (servers requiring blast radius assessment), Containment-Eligible-Rules (analytics rules validated for automation tiers), CDN-Ranges (cloud provider IP exclusions).

KQL query packs (11 queries): Detection triggers, enrichment queries, evidence collection queries, health monitoring (playbook success rate, containment metrics, suppression audit), and multi-signal correlation.

Deployable automation: ARM template for SA2 enrichment playbook with staging and production parameter files. Python Azure Functions for TI enrichment and evidence packaging.

Scripts: Watchlist deployment, test incident generator (10 capstone scenarios), sample data generator (30 days of NE telemetry with planted AiTM attack), and full-stack automation deployment.

Security Automation Lab Pack
5 watchlists · 11 KQL queries · ARM templates · Azure Functions · 10 capstone scenarios
Download Lab Pack (.zip)

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches security automation from first principles. Familiarity with Microsoft Sentinel and KQL will help you move faster, but neither is required. Every concept is explained at first use.

What are the device requirements?

A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) and an Azure subscription for Sentinel and Logic Apps deployment. The course walks you through setup in Module 0.

How will the course benefit your career?

Security automation is how modern SOCs scale. Organisations need engineers who can build the playbooks, Logic Apps, and governance frameworks that turn manual procedures into automated workflows. This course gives you the skills to design, deploy, and govern automation across the Microsoft security stack.

The demand for SOAR-capable security engineers continues to grow as organisations move from manual incident response to automated detection, enrichment, and containment.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy playbooks, automation rules, KQL queries, and Azure Functions in your production environment. You may not redistribute course content or share account credentials.

Automation artifacts: All playbooks and functions are provided as-is. Test every automation in a staging workspace before production deployment. Automated containment actions have business impact. Ridgeline Cyber Defence is not responsible for operational impact from deployed automation.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.2  |  Last updated: June 2026

June 2026 — v1.2: Course renamed to Microsoft 365 Security Automation and Orchestration.

June 2026 — v1.1: Course renamed to Sentinel Automation and Orchestration.

June 2026 — v1.0: Course page restructured. 14 modules across 3 tiers. 7 deployable Logic App playbooks, 4 Azure Functions, 11 KQL query packs, 5 governance watchlists.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.