In this section
Module Summary
What you built
This module produced the complete operational foundation for a SOC — ten artifacts that transform a team watching alerts into a function that detects, investigates, and improves.
Operating model ADR (Section 1.1) — your model choice documented with known gaps, not assumed. The Friday-night question answered: what happens when a critical alert fires during off-hours?
Tier definitions (Section 1.2) — L1, L2, and L3 as capability specializations with enforced scope boundaries. The 15-minute L1 boundary. Protected L3 time for the feedback loop.
Shift handover checklist (Section 1.3) — four-field format that transfers investigation state in under 10 minutes. MSSP-specific handover elements for hybrid models.
Escalation framework (Section 1.4) — three triggers for the ambiguous 30% of alerts that playbooks can't resolve. The instinct trigger — the most important — never penalized.
Triage decision framework (Section 1.5) — five-step structured triage with enrichment steps per alert category. Four disposition categories including the undetermined problem.
Metrics framework (Section 1.6) — quality metrics alongside speed metrics. MTTD, false positive rate, classification accuracy, external discovery rate. The data that shows whether the SOC catches attacks, not just processes alerts.
SOC charter (Section 1.7) — the master document that assembles all six artifacts into an authoritative reference. Four questions answered. CISO-signed. Quarterly reviewed.
Tool stack integration (Section 1.8) — Sentinel for detection, Defender XDR for investigation, Entra ID for identity context and containment. The right tool for each workflow phase.
Maturity assessment (Section 1.9) — evidence-based assessment across eight capabilities. The constraint identified. The improvement roadmap built.
Incident classification (Section 1.10) — severity driven by business impact (asset value × confidence × active status), not by rule assignment. SLAs mapped to severity.
What NE achieved
NE built every artifact in this module after INC-NE-2026-0227-001. The results over six months, with the same team and same tools:
MTTD: 14 days → 4.2 hours. False positive rate: 47% → 18%. External discovery rate: 60% → 15%. Classification accuracy: unmeasured → 89%. Maturity profile: 5 capabilities at Level 1 → 0 at Level 1, 4 at Level 3.
The operational foundation didn't require new tools, new headcount, or new budget. It required documentation, measurement, and discipline. The 90-day investment in operational infrastructure produced improvements that no technology purchase could have delivered — because the problem was never the technology.
What comes next
The operational foundation is the prerequisite. The paid modules build the detection, investigation, and operational capabilities on top of it.
What the full course builds
Phase 2 — Building Detections (Modules 2-6). Detection engineering methodology and 28 production KQL detection rules across identity, email, endpoint, and cloud domains. Each rule fully specified, tested, tuned, and deployed.
Phase 3 — Investigation and Response (Modules 7-9). Three complete investigation playbooks, four IR report templates, and hardening validation across four M365 security domains.
Phase 4 — Operational Maturity (Modules 10-12). Sentinel automation playbooks, metrics dashboards, CISO reporting, and a threat intelligence operations program.
Every module produces deployable assets. Detection rules that run in your Sentinel workspace. Investigation playbooks your team follows. Metrics dashboards your CISO reviews. The operational foundation you built in Modules 0-1 is the infrastructure that makes all of it work.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.