Sign In
Operations Track

For Security Engineers, Detection Engineers, and Operations Managers Building SOC Infrastructure in M365 Environments

Aligned to NIST SP 800-61MITRE ATT&CKCIS ControlsMandiant tradecraft

Security Operations Center (SOC) Operations

Build and operate a SOC that detects, investigates, and improves — not just triages.

Build detection rules, investigation playbooks, incident response documentation, hardening baselines, automation workflows, and threat intelligence operations as a complete SOC program. Every module produces deployable assets — 28 production KQL detection rules, investigation playbooks for every major alert type, and the operational metrics that prove your SOC is improving.

Start Free — No Account Needed See Pricing
What you'll deploy
SOC operational playbooks for triage, escalation, and shift handover
Alert classification framework with severity definitions and SLAs
Incident management workflow from detection through post-incident review
SOC metrics dashboard design (MTTD, MTTR, alert-to-incident ratio)
Analyst onboarding program with competency milestones
Stakeholder communication templates for incident reporting
SOC OPERATIONS — 13 MODULES S1 SOC Foundations S2 Detection Engineering S3 Identity (7 rules) S4 Email (7 rules) S5 Endpoint (7 rules) S6 Cloud (7 rules) S7 Playbooks (3) S8 IR Reports (4) S9 Hardening (45) S10 Automation (5) S11 Metrics S12 Threat Intel 28 rules · 3 playbooks 167,000+ words of operational content Complete SOC capability: detect → investigate → contain → document → improve
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Build and deploy 28 production KQL detection rules
Create investigation playbooks for every major alert type
Produce incident response documentation and reports
Measure SOC performance with operational metrics
Build threat intelligence operations into SOC workflows
Premium tier | 14 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 17 modules

Who this course is for

“I triage alerts all shift but I've never built a detection rule or written a playbook.” L1 analysts ready to move up. You need the skills that separate alert responders from SOC operators — building the rules, writing the procedures, running the improvement cycle.

“Our SOC runs on tribal knowledge — nothing is documented.” When the experienced analyst leaves, the playbooks leave with them. This course builds documented triage procedures, investigation playbooks, and shift handoff templates your entire team follows consistently.

“My manager asked for SOC metrics and I don't know what to measure.” MTTD, MTTR, alert-to-incident ratio, false positive rate, detection coverage. You build the metrics dashboard and learn which numbers actually tell you if the SOC is improving — and which are vanity metrics.

“We have 28 Sentinel template rules and no idea if they're catching anything real.” You replace template rules with 28 detection rules you wrote, tested, and tuned for your environment — across identity, email, endpoint, and cloud workloads.

“I'm building a SOC from scratch and need the operational framework.” SOC managers and team leads who need the complete blueprint: staffing models, shift structure, detection backlog, escalation paths, automation strategy, and the board report that justifies the investment.

“AI is handling L1 triage — what does my SOC role become?” Module 13 covers Copilot for Security Operations: when to use AI assistance, when not to, how to verify its output, and the decision matrix that governs AI augmentation without replacing human judgment.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You respond to alerts someone else configured. When a new attack technique appears, you wait for a vendor template to show up in Content Hub.

Every analyst handles the same alert differently. The experienced analyst spots the BEC indicators in 3 minutes. The new hire spends 45 minutes and still misses the inbox forwarding rule.

Your CISO asks “is the SOC improving?” and you don't have numbers. You know you're busy but you can't prove you're effective.

Shift handoffs are verbal. Critical context about ongoing incidents gets lost between shifts.

After

You write the detection rules. When a new threat advisory drops, you build the KQL, test it, and deploy it to Sentinel before the vendor template arrives.

Every analyst follows the same investigation playbook. The new hire handles BEC alerts using the same triage steps and produces the same quality incident comment as the veteran.

Your monthly SOC report shows MTTD trending down, detection coverage expanding, and false positive rate decreasing. You can prove the program is improving because you measure it.

Structured shift handoffs with documented open incidents, pending actions, and priority items. Nothing gets lost between shifts.

How the course works

The SOC operations lifecycle: build the detection program, operationalize it with playbooks, measure its effectiveness, and improve continuously:

Build
Detection Library

28 KQL rules across identity, email, endpoint, and cloud. Each rule specified, tested, tuned, and documented with ATT&CK mapping.

Operationalize
Playbooks & Process

Investigation playbooks for every alert type. Triage procedures, escalation paths, incident documentation, shift handoff templates. The SOC runs on process, not heroics.

Measure
Metrics & Reporting

MTTD, MTTR, detection coverage, FP rate, alert-to-incident ratio. The dashboard that proves the SOC is improving and the report your CISO reads.

Improve
Automation & Intelligence

SOAR playbooks for containment automation, threat intelligence integration for new detection rules, Copilot augmentation with governance. The continuous improvement engine.

What the content looks like

This is a real detection rule from Module 3. Every rule in the course follows the same pattern: the KQL query, the ATT&CK mapping, the false positive analysis, and the automated response action.

KQL — From Module 3: Identity Detection Rules
// Detect impossible travel: same user, two countries, under 60 minutes
SigninLogs
| where ResultType == 0
| summarize
    Locations = make_set(Location),
    LocationCount = dcount(Location),
    EarliestSign = min(TimeGenerated),
    LatestSign = max(TimeGenerated)
    by UserPrincipalName, bin(TimeGenerated, 1h)
| where LocationCount > 1
| project UserPrincipalName, Locations, LocationCount,
    WindowMinutes = datetime_diff('minute', LatestSign, EarliestSign)

The query catches the impossible travel pattern — but the module also teaches why VPN users and mobile hotspots trigger false positives, how to build the exclusion list, and when to escalate versus suppress. Every rule comes with the operational context that makes it usable in production.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 3.0  |  Last updated: May 2026

May 2026 — v3.0: Complete V3.0 rebuild. 14 content modules (S0–S13) across 4 phases. All modules rewritten to V3.0 teaching standard. Module 13 (Copilot for Security Operations) added. Course Completion page with exam CTA added.

2025 — v1.0: Initial release. 12 content modules (S0–S11).

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.