This module focuses on endpoint threat protection operations—deploying Microsoft Defender for Endpoint, investigating device-based alerts, and taking response actions to contain and remediate threats.

Lessons:

• Defender for Endpoint capabilities and operational value in SecOps

• Deploying and onboarding devices; configuring core security settings

• Attack surface reduction concepts and endpoint hardening

• Device investigations: forensics signals, timelines, and evidence correlation

• Response actions: containment, remediation, and automation concepts

• Vulnerability and exposure insights for risk reduction

Key Topics:

• Endpoint detection and response (EDR) workflows

• Attack surface reduction and endpoint hardening

• Evidence gathering and incident enrichment

• Automated response and operational tuning

• Vulnerability management fundamentals

Labs / Practical Exercises (if applicable):

• Triage an endpoint alert, perform a device investigation, and execute containment actions

• Review vulnerability findings and propose remediation priorities

• Apply Threat and Vulnerability Management to identify environment weaknesses and prioritize remediation efforts

This module covers unified incident investigation across domains using Microsoft Defender XDR, including incident correlation, investigation workflows, and risk remediation across identity, email, and cloud applications.

Lessons:

• Introduction to Microsoft Defender XDR threat protection

• Incident triage and investigation using the Microsoft Defender portal

• Remediating email and collaboration threats with Defender for Office 365

• Managing identity risk signals and protection concepts

• Safeguarding identity infrastructure with Defender for Identity

• Securing cloud apps using Defender for Cloud Apps (CASB capabilities)

Key Topics:

• Cross-domain incident correlation and investigation

• Identity protection and sign-in risk signals

• Email threat investigation and remediation

• Cloud app visibility, governance, and control

• SOC operational workflows and escalation patterns

Labs / Practical Exercises (if applicable):

• Investigate a multi-domain incident and document findings, scope, and next actions

• Apply remediation steps across identity and email threat scenarios

This module teaches how to use Microsoft Defender for Cloud to improve security posture and protect cloud workloads across Azure, hybrid, and on-premises environments, including alert remediation and posture management.

Lessons:

• Planning cloud workload protection and enabling core capabilities

• Connecting Azure assets to Defender for Cloud for threat detection

• Connecting non-Azure resources for hybrid protection coverage

• Managing cloud security posture management (CSPM) findings and guidance

• Understanding workload protections and detections across resource types

• Remediating security alerts and validating risk reduction actions

Key Topics:

• Cloud workload protection (CWP) and CSPM fundamentals

• Hybrid coverage and onboarding strategy

• Security recommendations and posture improvement

• Alert triage and remediation workflows

• Workload-specific protections and detections

Labs / Practical Exercises (if applicable):

• Review posture recommendations, prioritize actions, and create a remediation plan

• Investigate a Defender for Cloud alert and document response steps

This module establishes the operational foundation for Microsoft Sentinel by configuring workspaces, understanding ingested data, and enabling watchlists and threat intelligence to support detection and investigations.

Lessons:

• Microsoft Sentinel overview and SOC value proposition

• Creating and managing Microsoft Sentinel workspaces

• Querying logs in Microsoft Sentinel: tables, fields, and ingested data

• Building and using watchlists for enrichment and investigation support

• Utilizing threat intelligence indicators and management concepts

• Integrating Microsoft Defender XDR with Microsoft Sentinel for unified operations

Key Topics:

• SIEM/SOAR workspace architecture and configuration

• Log ingestion and data exploration basics

• Watchlists and enrichment patterns

• Threat intelligence operationalization

• XDR + SIEM integration concepts

Labs / Practical Exercises (if applicable):

• Configure a Sentinel workspace and validate data ingestion paths

• Create a watchlist and use it in a query to enrich investigation results

This module builds practical KQL capability for security analysis, detection support, and reporting—covering query structure, summarization, visualization, multi-table querying, and string manipulation for log data.

Lessons:

• Constructing KQL statements for Microsoft Sentinel

• Analyzing query results with summarization and visualization techniques

• Building multi-table statements (union/join patterns)

• Working with log data and manipulating string fields for security use cases

• Applying KQL outputs to detections, workbooks, and hunting workflows

Key Topics:

• KQL syntax patterns and operator usage

• Summarization, aggregation, and visual rendering concepts

• Multi-source analysis across tables

• Data parsing and transformation for security telemetry

• Query performance and maintainability considerations

Labs / Practical Exercises (if applicable):

• Write KQL queries to detect suspicious activity patterns and produce a summary view

• Build a multi-table query to correlate signals across different log sources

• Manage threat indicators and integrate threat intelligence into Sentinel to enrich investigation and alerting contexts

This module focuses on building detection and response operations in Sentinel, including analytics rules, automation rules, playbooks, incident management, behavior analytics, normalization, monitoring, and content management.

Lessons:

• Threat detection using Microsoft Sentinel analytics

• Automation in Microsoft Sentinel for standardized incident handling

• Threat response using Microsoft Sentinel playbooks

• Security incident management: evidence, entities, and workflows

• Behavioral analytics for identifying suspicious activity patterns

• Data normalization concepts and consistent analytic outcomes

• Querying, visualizing, and monitoring security data

• Managing and maintaining content in Microsoft Sentinel

Key Topics:

• Detection engineering and analytics governance

• SOAR automation and playbook design concepts

• Incident lifecycle management and operational metrics

• Entity-based investigation and behavioral analytics

• Data normalization approaches for scalable detection

• Content lifecycle and operational tuning

Labs / Practical Exercises (if applicable):

• Create an analytics rule and validate incident creation and enrichment

• Configure a playbook-driven response workflow for a high-priority alert

This module develops proactive hunting capability using Sentinel hunting tools, including hunting process concepts, query-driven hunts, bookmarking and livestream techniques, search jobs for large datasets, and notebooks for advanced hunting.

Lessons:

• Threat hunting concepts and structured hunting processes

• Threat hunting with Microsoft Sentinel using queries and hunt workflows

• Using bookmarks and livestream to track and operationalize hunt findings

• Using Search jobs for long-range, large-volume investigations

• Hunting with notebooks for advanced analytics and investigative workflows

Key Topics:

• Proactive threat hunting methodology

• Query-driven behavioral analysis and hypothesis testing

• Evidence tracking and operationalizing hunt results

• Large-scale dataset searching and investigation strategies

• Advanced hunting with notebooks (concepts and use cases)

Labs / Practical Exercises (if applicable):

• Execute a hunting hypothesis with KQL, create bookmarks, and document findings

• Use a search job to investigate long-duration activity and summarize results