Final assessment (12 questions)
1. A user's SigninLogs show a successful sign-in from New York at 09:14. AADNonInteractiveUserSignInLogs shows successful token refreshes from Lagos starting at 09:22. What happened?
The user is using a VPN
Normal token refresh behavior
Token replay — an attacker captured the session token (likely via AiTM) and is replaying it from Lagos. The legitimate user signed in from New York; the attacker's token activity appears from a completely different location.
The interactive sign-in from New York is the legitimate user. The non-interactive activity from Lagos is the attacker using a stolen refresh token. No corresponding interactive sign-in from Lagos exists — the token was stolen, not earned through a login page.
2. ResultType 50126 appears 342 times from IP 203.0.113.45 targeting the account s.williams@. What attack is this?
Brute force — many failures from one IP targeting one account, all with error 50126 (invalid credentials)
Password spray
Token replay
342 failures from a single IP targeting a single account with error 50126 (wrong password) is textbook brute force. Password spray would show the same IP targeting many different accounts with fewer attempts per account.
3. IP 203.0.113.45 shows 50 failures across 40 different user accounts. What attack is this?
Brute force
Password spray — one IP targeting many accounts (dcount of UserPrincipalName is high), with 1-2 attempts per account (below lockout thresholds)
DDoS
50 failures across 40 accounts = ~1.25 attempts per account. Each account sees a benign-looking forgotten password. The IP-level aggregation reveals the coordinated attack across dozens of accounts.
4. A sign-in shows ClientAppUsed = "IMAP4" with ResultType = 0 from an unfamiliar IP. Why is this critical?
IMAP is outdated but harmless
IMAP sign-ins are always suspicious
IMAP does not support MFA — the attacker authenticated with stolen credentials via a legacy protocol, bypassing all modern authentication controls. They have direct mailbox access.
Legacy protocols bypass MFA by design. An attacker with credentials can use IMAP to read every email in the mailbox without triggering an MFA prompt. Blocking legacy auth in conditional access eliminates this entire vector.
5. ConditionalAccessStatus = "notApplied" on a successful sign-in to Azure Portal. What does this mean?
The sign-in was blocked by CA
CA evaluated and passed
No conditional access policy evaluated — this sign-in had zero protection beyond credentials. An attacker with stolen credentials accesses Azure Portal unimpeded. This is a critical gap.
"notApplied" means no CA policy matched the conditions (user, app, location, device). The sign-in was allowed on credentials alone — no MFA, no device check, no location restriction. Every "notApplied" result is a gap in your security posture.
6. What is the purpose of the anti-join pattern in token replay detection?
It finds non-interactive sign-in IPs that have NO corresponding interactive sign-in for the same user — IPs where the token was used but never earned through a login page
It finds matching IPs across both tables
It counts sign-ins per IP
The anti-join returns non-matches: non-interactive IPs that do NOT appear in the interactive baseline. A legitimate user's non-interactive IPs always match their interactive IPs (same device, same network). An attacker's IP appears only in non-interactive — the token was stolen and replayed, not earned through a login page.
7. You see a successful sign-in at 2:14 AM for a 9-to-5 employee from an unfamiliar IP. What is your assessment?
Probably working late
Scheduled task running
Strong compromise indicator — off-hours activity from an unfamiliar IP suggests the legitimate user is asleep while an attacker operates in their account. Check the non-interactive logs for the same IP.
Time + IP + user's normal pattern together tell the story. 2 AM from a known corporate VPN IP could be overtime. 2 AM from a never-before-seen IP in a different country is almost certainly compromise. Context matters — which is why baselines (subsection 4.9) are critical.
8. Your application baseline query shows a finance user suddenly accessing Azure Key Vault. Why investigate?
A finance user has no legitimate reason to access Key Vault (secrets, certificates, encryption keys). This is either a compromised account or an insider exploring resources beyond their role — both require investigation.
Key Vault access is always suspicious
The user was probably curious
Application access deviation from role baseline is a strong signal. Attackers with stolen credentials explore what they can reach — Key Vault, Azure Portal, admin centers. Application baselines catch this exploration before the attacker finds something valuable.
9. A report-only conditional access policy shows it would have blocked 340 sign-ins this week. What should you do?
Leave it in report-only indefinitely
Analyze the 340 sign-ins — if they are predominantly risky or anomalous activity (not legitimate business), move the policy to enforced mode. If enforcement would disrupt legitimate operations, adjust the policy scope first.
Delete the policy
Report-only mode is for testing before enforcement. The data tells you exactly what would happen if you enforced. Analyze the 340 blocked sign-ins: are they attacks you want to stop, or legitimate users who would be disrupted? The answer determines whether to enforce as-is or adjust scope first.
10. You want to convert your "sign-in from new country" baseline query into an automated detection. What do you do?
Save it as a scheduled Sentinel analytics rule with entity mapping to the user account and IP address, appropriate severity, and a lookback window matching your baseline period
Run it manually every morning
Add it to a workbook
Analytics rules automate detection. Entity mapping links the detected user and IP to Sentinel entities, enabling the correlation engine to group this alert with related detections. This is the bridge from Module 4 (investigation skill) to Module 10 (detection engineering).
11. Why must you check BOTH SigninLogs and AADNonInteractiveUserSignInLogs during every compromise investigation?
They contain different column schemas
Microsoft requires it
Token replay (the most dangerous post-compromise technique) appears ONLY in non-interactive logs. Checking only SigninLogs misses stolen token usage entirely — you would see the legitimate sign-in but not the attacker's activity.
This is the single most important lesson in Module 4. Interactive shows the front door. Non-interactive shows the back door. Attackers with stolen tokens use the back door exclusively. One table gives you half the picture.
12. What is the single highest-impact hardening action for most organizations that have not yet done it?
Deploy SIEM
Block legacy authentication via conditional access — it eliminates the entire class of MFA-bypass attacks via IMAP, POP3, and SMTP with a single configuration change
Increase password complexity requirements
Blocking legacy auth is a configuration change that takes minutes and eliminates all credential-based attacks via legacy protocols. No hardware, no user training, no ongoing cost. If your organization has not done this, it should be your top priority — ahead of almost everything else.
