Lab Environment and How to Study

Two paths through the content

This course is designed for two study paths. The KQL queries and Sentinel configuration are optional in Phase 1, you can build the operational foundation (charter, triage framework, escalation triggers, metrics) without running a single query. The queries become essential in Phase 2 when you build detection rules.

If you have a Sentinel workspace (production or developer tenant), run the queries in Module 1 as you study them. The false positive rate query in Section 1.6 gives you an immediate number about your own SOC. That number is the starting point for every improvement this course builds.

If you don't have a Sentinel workspace yet, read the queries as examples, understand what they produce and why. Set up a developer tenant when you're ready for Phase 2.

Estimated time: 15 minutes.

Lab environment options

Option 1: Your production Sentinel workspace

If your organization's security policy permits you to run read-only queries in your production Sentinel workspace, this is the best option for Phase 1. The queries in Module 1 are read-only, they query SecurityIncident, SigninLogs, and OfficeActivity to produce metrics about your existing SOC operations. They don't create, modify, or delete anything.

The advantage of running against production: the numbers you get are real. Your false positive rate. Your classification distribution. Your triage time patterns. These numbers make the operational concepts immediate because they describe your environment, not a fictional one.

The production workspace also lets you validate the operational artifacts against your own data. When you build the triage framework in Section 1.5, you can test the enrichment queries against recent alerts in your queue. When you measure FP rate in Section 1.6, the number tells you how much of your team's effort goes to dismissing noise. That number is the starting point for every improvement this course builds.

Option 2: M365 E5 developer tenant

A free developer tenant from developer.microsoft.com provides 25 E5 user licenses and the full Microsoft security stack. Sentinel, Defender XDR, Entra ID. Connect an Azure free subscription for the Sentinel workspace. Enable the Entra ID, Microsoft 365, and Defender XDR data connectors. The sample data packs generate realistic user activity.

Setting up the developer tenant takes approximately 30-45 minutes: create the tenant, add the Azure subscription, deploy the Sentinel workspace, connect the three core data connectors, and wait for initial data ingestion (typically 15-30 minutes for the first sign-in events to appear). The process is covered in detail in the lab setup resource, but you don't need it for Phase 1. The developer tenant becomes essential in Phase 2 when you deploy detection rules, you need a workspace where you can create analytics rules, test them against data, and see them fire.

Option 3: Read-only (no workspace)

If you don't have access to a Sentinel workspace and can't set up a developer tenant yet, you can still complete Phase 1 fully. The operational documents, charter, triage framework, escalation triggers, metrics definitions, maturity assessment, don't require a workspace. The KQL queries are shown with expected output so you understand what they produce. Set up a workspace before starting Phase 2.

The read-only path works for Phase 1 because the operational infrastructure is process documentation, not technology configuration. You can write a complete SOC charter, define tier boundaries, design escalation triggers, and build a maturity assessment without touching Sentinel. The queries in Module 1 are valuable for anchoring the concepts in real data, but the concepts themselves are platform-independent.

Study approach

Module 0 (this module)

Read Sections 0.1-0.4 to understand the discipline, the functions, the failure patterns, and the maturity spectrum. These sections frame everything that follows. Read Section 0.5 (pipeline) and 0.6 (deliverables) to understand what the course builds and how the modules connect. This section (0.7) is the last in the module.

Module 0 is conceptual, it teaches you what SOC operations is as a discipline and maps the course structure. You don't build anything in Module 0. The building starts in Module 1.

Module 1 (operational readiness)

Study Module 1 sequentially, each section builds on the previous one. The operating model informs the tier structure. The tier structure informs the handover design. The handover design informs the escalation framework. The full operational foundation assembles in the charter (Section 1.7).

Deploy artifacts as you build them. Write your triage framework in Section 1.5 and put it in front of your L1 analysts the same week. Don't wait until you finish the module. The operational value of each artifact is immediate.

Run the metrics queries in Section 1.6 against your Sentinel workspace if you have access. The numbers will surprise you, they surprised NE. The false positive rate query alone changes how you think about your SOC's effectiveness. Most teams discover their FP rate is between 30-50%, which means a third to half of all analyst effort goes to dismissing noise. That number is the first data point in your improvement roadmap.

Modules 2-12 (premium content)

The paid modules follow the same pattern: each section teaches a concept, applies it to the NE scenario, and then has you apply it to your own environment. The KQL queries in Modules 2-6 are production rules, you deploy them in your workspace and they fire on real activity. The playbooks in Modules 7-9 are operational documents you use on real incidents. The automation in Modules 10-12 runs in your Sentinel workspace.

The recommended pace is one module per week at 3-5 hours per session. Some modules are heavier than others. Module 5 (endpoint detection) requires more lab time than Module 2 (methodology). Adjust your pace to the complexity. The goal is deployment, not completion speed.

The Northgate Engineering thread

Every module uses Northgate Engineering (NE) as the worked example. NE is an 810-person manufacturing company with M365 E5, Sentinel, and a hybrid SOC model. The NE scenario is not a lab exercise, it's a persistent fictional environment that evolves across all 12 modules. The AiTM incident from Module 0 becomes the case study for the triage framework in Module 1, the detection gap analysis in Module 2, the AiTM detection rule in Module 3, the investigation playbook in Module 7, and the board report in Module 11.

This continuity is deliberate. Real SOC work builds on itself, the detection rule you wrote last month fires this week, the investigation you ran yesterday informs the tuning you do today. The NE scenario mirrors that continuity. When you write an escalation trigger in Section 1.4, you reference the AiTM incident that proved the trigger was needed. When you build the AiTM detection rule in Module 3, you reference the escalation gap that let the attack succeed for 21 days. The course is one investigation, not twelve disconnected exercises.

When to take breaks

The material is dense. Each module contains 10-12 sections, each section runs 2,500-3,000 words with KQL queries, annotated output, and operational artifacts. Trying to complete a module in one sitting leads to passive reading, you absorb the concepts but don't retain the operational details. Two to three sections per sitting, with a break between to run the queries or draft the artifacts, produces better retention than reading straight through.

Estimated time

Module 0: 2-3 hours. Module 1: 4-6 hours (experienced analyst) or 6-8 hours (new to the Microsoft stack). Full course (12 modules): 36-40 hours over 8-12 weeks at a pace of 3-5 hours per week. The time estimate assumes you're running queries and deploying artifacts, reading without doing takes about half as long but produces about a tenth of the value.