AD5.11 Interactive Lab: Security Monitoring Exercise

Interactive Lab: Security Monitoring Exercise

This lab uses the alert simulator to present you with one week's worth of Defender portal incidents, sign-in log entries, and DLP matches. You'll execute the Monday security review: check the incident queue, investigate sign-in anomalies, check Secure Score, review email threats, and check device compliance and DLP. For each finding, you'll classify the alert, decide whether to escalate, and record your actions in the weekly security log — building the muscle memory for the monitoring cadence you'll follow every Monday in production.

What you practised

This lab tested your ability to execute the 5-check Monday review, classify incidents (TP/FP/BTP), investigate sign-in anomalies using the 5-minute investigation procedure, read the attack story for medium-severity incidents, decide when to escalate vs handle yourself, and record findings in the weekly security log. The key judgment calls: a 02:00 sign-in from an unusual IP that passed MFA (investigate — don't assume travel), an inbox rule forwarding financial emails (BEC indicator — investigate immediately), and a Secure Score drop (investigate configuration change — don't ignore it).

Connection to Module AD6

With structured monitoring operational, Module AD6 covers basic incident response — the detailed procedures for the incidents your monitoring catches. When your Monday review identifies a confirmed credential compromise, AD6 provides the step-by-step response workflow beyond the 15-minute AD1.9 procedure.