Documentation & Tools →
Sign In

Microsoft 365 SOC Engineering

Master Microsoft 365 SOC Engineering

Build and run a high-performing Security Operations Center in Microsoft 365. Design, implement, and optimise modern SOC infrastructure, processes, and workflows using Microsoft Defender XDR, Microsoft Sentinel, Entra ID, and the full Microsoft security stack; so you can detect, respond, and mature your operations at enterprise scale.

Preview Course See Pricing
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Design and implement a complete SOC architecture and operating model in Microsoft 365 environments
Deploy, configure, and optimise Microsoft Defender XDR, Microsoft Sentinel, Entra ID, and supporting security tools
Build and run efficient SOC workflows for alert triage, investigation, threat hunting, and response
Establish automation, playbooks, and processes that scale operations effectively
Define and track meaningful SOC metrics to measure performance and drive continuous improvement
Mature your SOC from reactive monitoring to a proactive, high-performing security capability
SEC302 | Premium tier | 14 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 5 free preview lessons - no account needed | Updated June 2026
Course Agenda View all 16 modules

Course overview

The Microsoft 365 SOC Engineering course is built specifically for Security Engineers, Detection Engineers, and Operations Managers responsible for building SOC infrastructure in Microsoft 365 environments. You'll gain hands-on expertise to:

Design and implement a complete Microsoft 365 SOC architecture and operating model
Deploy, configure, and optimise Microsoft Defender XDR, Microsoft Sentinel, and supporting security services
Build efficient SOC workflows for triage, investigation, hunting, automation, and reporting
Establish metrics, playbooks, and processes that drive continuous SOC maturity

By the end, you'll have the strategic and technical skills to build, run, and mature a modern, effective Microsoft 365 Security Operations Center that delivers real security outcomes.

Who this course is for

You're a Security Engineer, Detection Engineer, or Operations Manager responsible for building or running a Security Operations Center in Microsoft 365 environments. This course is built for you if you want to:

Move from fragmented tool deployment to a well-designed, integrated SOC infrastructure
Master the configuration and daily operations of the full Microsoft security stack
Build scalable processes, automation, and workflows that improve SOC efficiency
Develop both technical depth and operational maturity for your security program

In short: if you're responsible for designing, building, or optimising a modern Microsoft 365 SOC, this course is for you.

What you'll learn

By the end of this Microsoft 365 SOC Engineering course you will be able to:

Architect and implement a modern Microsoft 365 SOC operating model and technology stack
Deploy and tune Microsoft Defender XDR, Microsoft Sentinel, Entra ID Protection, and related services
Design and operationalise effective SOC workflows for triage, investigation, hunting, and automation
Integrate Microsoft security tools into unified processes with clear visibility and handoffs
Establish SOC metrics, reporting, and continuous improvement frameworks
Build playbooks, runbooks, and automation that reduce response times and operational overhead

Key course takeaways

Build and run a production-grade Microsoft 365 SOC infrastructure that delivers real results
Master the integration and operation of Defender XDR, Sentinel, and the broader Microsoft security stack
Create scalable, efficient SOC processes and automation that reduce alert fatigue and improve outcomes
Establish clear metrics and maturity models to continuously improve your security operations
Develop both the technical and operational skills needed to lead a high-performing SOC
Become the SOC leader who transforms tools and people into a cohesive, effective security capability

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches SOC operations from first principles. Familiarity with Microsoft 365, Sentinel, and KQL will help you move faster, but neither is required. Every concept, tool, and process is explained at first use.

What are the device requirements?

A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) with Sentinel and Defender XDR for hands-on exercises. The course walks you through setup in Module 0.

How will the course benefit your career?

SOC operations is the foundation of enterprise security. Organisations need people who can design the SOC architecture, build the detection library, create the investigation playbooks, and measure the outcomes. This course gives you the complete toolkit — from SOC design through operational maturity.

SOC operations capability is a prerequisite for SOC management, security engineering, and security leadership roles.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy detection rules, playbooks, and operational frameworks in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.1  |  Last updated: June 2026

June 2026 — v1.1: Course renamed to Microsoft 365 SOC Engineering.

June 2026 — v1.0: Course page restructured. 14 modules across 4 phases. 28 detection rules, 3 investigation playbooks, operational metrics framework.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.