Sign In
Core Training Track

For Security Engineers, Administrators, and Architects Configuring and Operating the Microsoft Security Stack

Aligned to NIST CSF 2.0NIST SP 800-53MITRE ATT&CKNIS2 Directive

Microsoft 365 Security Operations

Configure, detect, investigate, and respond across the entire Microsoft security stack.

Operate Defender XDR, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, Purview, and Sentinel as an integrated security platform. Write production KQL detection rules, build investigation playbooks, deploy hardening baselines, and investigate five real attack types end-to-end — AiTM phishing, BEC, token replay, consent phishing, and insider threat. SC-200 exam objectives fully covered — the certification is the side effect of operational competence.

Start Free — No Account Needed See Pricing
What you'll deploy
Full M365 security operations playbook across Sentinel + Defender XDR
Cross-workload investigation methodology spanning identity, email, and endpoint
Advanced Hunting queries for every M365 workload
Alert tuning baselines that reduce noise without losing coverage
Microsoft Sentinel — Active Incidents AiTM phishing — session token harvested High Suspicious inbox forwarding rule created Medium Token replay from unrecognized IP range Medium Bulk file download — departing employee Low 12 Active incidents 47 Closed this week 4.2h Avg resolution 3 Pending triage
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Operate Defender XDR, Defender for Endpoint, and Sentinel as an integrated platform
Write production KQL detection rules for the M365 security stack
Investigate AiTM, BEC, token replay, consent phishing, and insider threat
Deploy hardening baselines across Defender workloads and Purview
Build investigation playbooks for every major M365 attack type
Premium tier | 19 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | SC-200 aligned | Updated May 2026
Course Agenda View all 19 modules

Phase 1 — Foundations

Course Introduction
Mitigate Threats Using Microsoft Defender XDR
Mitigate Threats Using Microsoft Defender for Endpoint

Phase 2 — Microsoft Security Stack

Mitigate Threats Using Microsoft Purview
Mitigate Threats Using Microsoft Defender for Cloud
Mitigate Threats Using Microsoft Security Copilot
Create Queries for Microsoft Sentinel Using Kusto Query Language (KQL)
Configure Your Microsoft Sentinel Environment
Connect Logs to Microsoft Sentinel
Defender for Office 365 Policies & Protection

Phase 3 — Detection & Hunting

Create Detections and Perform Investigations Using Microsoft Sentinel
Perform Threat Hunting in Microsoft Sentinel
Investigating AiTM Credential Phishing

Phase 4 — Investigation Scenarios

Investigating AiTM Credential Phishing
Investigating BEC and Financial Fraud
Investigating Token Replay and Session Hijacking
Investigating Consent Phishing and Illicit OAuth Grants
Investigating Insider Threats

Resources

M3
M365 Security Operations — Operational Reference

Reference

References & Further Reading

Who this course is for

“I use Defender and Sentinel but I investigate in each portal separately.” You open Defender XDR for endpoint alerts, Sentinel for identity, Entra for sign-ins — never correlating across them. This course teaches you to operate the unified platform: one incident queue, cross-workload pivots, evidence from every data source in one investigation.

“I'm studying for SC-200 and I don't want to just memorize the exam guide.” Every SC-200 objective is covered by operating the actual product, not reading about it. You investigate AiTM phishing, trace BEC campaigns, contain token replay — and the exam objectives are the side effect.

“We deployed M365 E5 security but most features are still at defaults.” Defender for Endpoint, MDO, MCAS, Purview, Sentinel — you're paying for the full stack but only using fragments. This course takes each product from default configuration to operational hardening with policies you can justify.

“Security Copilot launched and I don't know how to evaluate its output.” Module 5 teaches you to use Copilot as an investigation accelerator — prompt it, evaluate its response, verify its findings, and know when it's wrong. Critical AI evaluation, not blind trust.

“I'm an IT admin who got handed security responsibility.” You know M365 administration but security operations is new territory. This course starts with the platform architecture (how Defender, Sentinel, and Entra connect) and builds to incident investigation. No assumed security background.

“I need to prove I can investigate incidents, not just configure products.” Five real attack scenarios — AiTM, BEC, token replay, consent phishing, insider threat. You investigate each end-to-end using the methodology, tools, and KQL queries the job requires. The artifacts go in your portfolio.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You open Defender XDR for endpoint alerts, switch to Sentinel for cloud detections, then Entra for sign-in logs. Three portals, three tabs, no correlation.

An AiTM phishing alert fires and you check the email. You don't know how to pivot from the email to the stolen token to the inbox rule to the lateral movement — so you close it as “phishing blocked.”

Copilot gives you an incident summary and you forward it to your manager verbatim. You can't tell if it missed the persistence mechanism.

You're paying for E5 security but Purview is untouched, Defender for Cloud Apps is at defaults, and your Sentinel workspace has 40 template rules you've never reviewed.

After

You work from the unified incident queue. One alert correlates email, identity, and endpoint evidence automatically. You investigate across workloads without switching context.

You trace the AiTM attack from the phishing email through token theft, inbox rule creation, and financial fraud — producing the cross-domain timeline your CISO needs in the executive briefing.

You prompt Copilot with targeted questions, verify its entity extraction against raw KQL, catch what it missed, and document both the AI output and your corrections.

Every Defender workload is configured with policies you can explain. Your Sentinel workspace runs rules you wrote and tuned. Purview DLP policies are active. You know what each product does and what it doesn't.

How the course works

Four phases build from platform foundations to independent investigation. Each phase produces operational artifacts you use immediately:

Phase 1
Foundations

Defender XDR architecture, Defender for Endpoint configuration, alert correlation. You understand how the unified platform connects before you investigate in it.

Phase 2
Security Stack

Purview, Defender for Cloud, Security Copilot, KQL, Sentinel workspace, log connectors, MDO policies. Each product configured, hardened, and connected to the unified pipeline.

Phase 3
Detection & Hunting

Sentinel analytics rules, threat hunting campaigns, Advanced Hunting across workloads. You build the detection rules and hunt queries that power your SOC.

Phase 4
Investigation Scenarios

Five end-to-end investigations: AiTM phishing, BEC & financial fraud, token replay, consent phishing, insider threat. Each uses the full platform, the full methodology, the full tool stack.

What the content looks like

This is a real query from Module 1. Every shift starts here — before you touch the incident queue, you verify every data pipeline is flowing. A silent connector is more dangerous than a noisy queue.

KQL — From Module 1: SOC Shift Start Workflow
// Pipeline health: when did each critical table last receive data?
union
    (DeviceProcessEvents | summarize LastEvent = max(Timestamp)
        | extend Table = "DeviceProcessEvents"),
    (EmailEvents | summarize LastEvent = max(Timestamp)
        | extend Table = "EmailEvents"),
    (IdentityLogonEvents | summarize LastEvent = max(Timestamp)
        | extend Table = "IdentityLogonEvents"),
    (CloudAppEvents | summarize LastEvent = max(Timestamp)
        | extend Table = "CloudAppEvents")
| project Table, LastEvent,
    DataAge = datetime_diff('minute', now(), LastEvent)
| order by DataAge desc

If any table shows a DataAge greater than 60 minutes, investigate the connector before touching the incident queue. A stale EmailEvents table means phishing alerts will not fire. A stale IdentityLogonEvents means sign-in risk detections stop flowing. This is the first query you run. Every module teaches at this level — operational, copy-paste ready, with the reasoning that tells you why it matters.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. All 19 modules active across 4 phases. Mapped to SC-200 exam objectives (January 2026 update). Investigation scenarios: AiTM phishing, BEC, token replay, consent phishing, insider threat.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.