4.5 Volume Management and Exam Relevance

60 minutes · Module 4 · Free

Volume Management

Non-interactive sign-in logs generate significantly more volume than interactive logs — often 10x to 50x more. Token refreshes for Exchange Online, Teams, SharePoint, and OneDrive occur continuously throughout the day for every active user. This has cost implications for Sentinel ingestion.

The ConditionalAccessPolicies field in non-interactive logs is the largest contributor to log size, often representing 50–80% of each record’s byte size. Many organisations use Data Collection Rules (DCRs) to strip this field from non-interactive logs before ingestion, reducing costs without losing investigative value. The conditional access outcome for non-interactive sign-ins is almost always identical to the outcome of the preceding interactive sign-in.

(Source: Save money on your Sentinel ingestion costs with Data Collection Rules — Microsoft Community Hub)

If your organisation has not yet addressed non-interactive log volume, raise it. It is one of the most impactful cost optimisations available in Sentinel.

SC-200 Exam Relevance

Two SC-200 objectives map directly to this module:

Investigate Entra ID sign-in logs: The exam expects you to interpret sign-in log fields, identify the meaning of common ResultType codes, and understand the difference between interactive and non-interactive sign-ins. Scenario-based questions may show a sign-in log entry and ask you to determine whether the sign-in is suspicious.
Analyze identity-related threats: Questions will test your ability to recognise patterns like impossible travel, password spray (many users failing from one IP), and token replay (non-interactive successes from cloud hosting IPs). Know which fields to check and in what order.

(Source: SC-200 study guide — Microsoft Learn)

Key Takeaways

Always query both tables. SigninLogs for interactive, AADNonInteractiveUserSignInLogs for background token activity. Use union isfuzzy=true to combine them.
ResultType 0 is success. Everything else is a failure or interruption. Learn the critical error codes: 50126 (bad password), 50053 (lockout), 53003 (CA block).
Check the ASN, not just the IP. An IP from DigitalOcean or AWS authenticating as a regular user is more suspicious than an IP from a known UK ISP.
Non-interactive sign-ins from unexpected locations are a token theft indicator. This is how AiTM-stolen tokens manifest — not as new interactive logins, but as quiet token refreshes.
ConditionalAccessStatus “notApplied” is a gap, not a pass. It means no policy evaluated the sign-in. That is a security hole, not a clean bill of health.
Legacy auth bypasses MFA. If you find successful IMAP, POP3, or SMTP sign-ins, your MFA posture has a hole that attackers will find.

References

Microsoft Entra authentication and authorization error codes — learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
Microsoft Entra activity logs schema — learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-activity-log-schemas
Non-interactive sign-in logs — learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins
Connect Azure Active Directory data to Sentinel — learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
Non-interactive logins: minimizing the blind spot — techcommunity.microsoft.com/blog/microsoftsentinelblog/non-interactive-logins-minimizing-the-blind-spot/2287932
Save money on Sentinel ingestion with DCRs — techcommunity.microsoft.com/blog/microsoftsentinelblog/save-money-on-your-sentinel-ingestion-costs-with-data-collection-rules/4270256
Troubleshoot sign-in errors — learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-troubleshoot-sign-in-errors
SC-200 study guide (January 2026 update) — learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-200

This concludes the free modules. You now have the foundations: the M365 security ecosystem (Module 1), KQL query skills (Module 2), portal navigation and incident management (Module 3), and identity investigation through sign-in logs (Module 4).

Ready for the full SC-200 track? Subscribe → to unlock Modules 5–28, including Sentinel workspace configuration, Defender for Endpoint investigations, the AiTM phishing deep-dive, threat hunting with advanced KQL, and monthly scenario challenges.

Module 4 — Final knowledge check

1. You are investigating a potential AiTM attack. The user's SigninLogs show a successful interactive sign-in from London. Where do you look for evidence of token replay from a different location?

SigninLogs filtered by the same user

AADNonInteractiveUserSignInLogs filtered by the same user — look for token refreshes from unfamiliar IPs

AuditLogs filtered by the same user

Token replay uses stolen refresh tokens, which generate non-interactive sign-in events. Look for sign-ins in AADNonInteractiveUserSignInLogs from IPs that do not match the user's known locations, especially when there is no corresponding interactive sign-in from that IP.

2. A password spray attack targets 500 accounts from 3 IP addresses. Which query approach detects this?

Summarize failed sign-ins by IPAddress, then filter for IPs that targeted many distinct UserPrincipalNames

Summarize failed sign-ins by UserPrincipalName, then filter for many failures

Check the SecurityAlert table for spray detections

Password spray distributes attempts across many accounts from few IPs — each account sees only 1-2 failures (below lockout thresholds). The signal is in the IP: one IP targeting hundreds of distinct users. Summarize by IP with dcount(UserPrincipalName) and filter for high distinct user counts.

3. What is the purpose of Data Collection Rules (DCRs) in the context of sign-in log ingestion?

To encrypt sign-in logs

To route sign-in logs to the Defender portal

To filter which sign-in events are ingested into Sentinel, reducing volume and cost by dropping low-value records

DCRs let you filter sign-in data before it reaches your Sentinel workspace. You can drop service account noise, exclude specific applications, or only ingest failed sign-ins — reducing ingestion volume and cost while keeping the data you need for detection and investigation.

4. ResultType 50053 means the account is locked. ResultType 50126 means invalid credentials. In a brute force investigation, which pattern distinguishes brute force from a user who simply forgot their password?

Check the time of day

Brute force: many 50126 failures from a single IP in rapid succession, often targeting one account. Forgotten password: a few 50126 failures from the user s known IP with gaps between attempts

Check if MFA was required

Volume, velocity, and source IP are the distinguishing factors. A forgotten password produces 2-5 failures over several minutes from a familiar IP. Brute force produces dozens or hundreds of failures in rapid succession, often from IPs with no prior association with the account.

5. Why should you check ClientAppUsed when investigating a compromised account?

To determine the browser version

To check if the user was on a mobile device

To identify legacy authentication protocols (IMAP, POP3, SMTP) that bypass MFA, which attackers use after obtaining credentials

Attackers who obtain credentials through phishing often attempt access via legacy protocols that do not support MFA. IMAP access to a mailbox gives them full read/write capability without triggering an MFA challenge. Blocking legacy authentication via conditional access eliminates this entire attack path.

← 4.6 Conditional Access Analysis 4.4 Reading a Sign-In Event →