The 15-minute Monday security review — 5 checks across 3 portals covering all 4 security layers — Correct. The Monday review is the habit that sustains the program. It catches incidents, validates controls, and produces the data for quarterly reporting — all in 15 minutes.
Reviewing every alert in real-time — Not sustainable for an IT administrator. Alert notifications handle high-severity events in real-time. The Monday review handles everything else.
Running PowerShell scripts daily — Monthly metric collection is sufficient. Daily scripting adds overhead without proportional value.
Question 2. An incident titled "Suspicious inbox manipulation rule" is in your queue. The rule forwards emails containing "payment" to an external Gmail address. What classification should you assign?
False positive — inbox rules are normal — Forwarding "payment" emails externally is a BEC hallmark, not normal behavior.
Benign true positive — the user probably created it themselves — Don't assume. Investigate first.
Don't classify yet — investigate first. Disable the rule immediately, check the sign-in log for the user around the rule creation time, and contact the user. If the sign-in was from an unfamiliar source, classify as True Positive and execute AD1.9 — Correct. Investigation before classification. Contain first (disable the rule), then determine the cause.
True positive — close and move on — Classification needs investigation to confirm. TP may require response actions beyond just closing.
Question 3. You receive a high-severity alert notification at 21:00 on Wednesday. You're not on-call and your organization has a managed SOC partner. What do you do?
Forward the alert to the managed SOC's escalation channel with a brief summary, then investigate yourself the next morning — Correct. The managed SOC provides after-hours coverage. Forward for immediate containment. Investigate in detail during business hours.
Investigate immediately — high severity can't wait — Unsustainable without on-call compensation. The managed SOC handles after-hours high-severity.
Wait until Monday — it'll be in the queue — High-severity can't wait 4+ days. Forward to the managed SOC for immediate action.
Disable alert notifications to avoid after-hours interruptions — Removing visibility doesn't remove the threat. The alert notification is working correctly.
Question 4. Your Secure Score dropped from 67% to 61% between Monday reviews. What's the most likely cause?
An attack lowered the score — Attackers can't modify Secure Score.
Normal fluctuation — 6-point drops have specific causes, not random fluctuation.
Microsoft changed the scoring algorithm — Possible but rare. A 6-point drop is more likely a configuration change.
A security control was disabled or modified — check Secure Score History to identify which improvement actions lost points, then investigate the configuration change — Correct. Investigate via History tab, find the lost points, identify the change, and re-enable if accidental.
Question 5. A sign-in log entry shows: MFA "satisfied by claim," unfamiliar IP, unmanaged device, CA003 failure. The sign-in was BLOCKED. Is there still a risk?
No — CA003 blocked the access, so the user is safe — The access was blocked but the credentials are compromised.
Yes — the credentials are still compromised. "Satisfied by claim" from an unfamiliar IP indicates AiTM token replay. CA003 blocked this attempt, but the attacker has valid credentials and may try a different approach. Reset the password immediately — Correct. CA003 stopped the access. Password reset stops the attacker from trying again.
No — MFA was satisfied, so the user approved the sign-in — "Satisfied by claim" means the token carried MFA from a previous session. The user didn't approve THIS sign-in.
Maybe — check with the user first — The combination of unfamiliar IP + unmanaged device + MFA by claim is strong enough to reset the password without waiting for user confirmation. Act first, verify after.
Question 6. You should configure alert notifications for which severity levels?
All severities — to ensure nothing is missed — Creates alert fatigue. Low/Info notifications bury High-severity alerts in noise.
High only — Medium and below can wait for the Monday review — Medium severity incidents should be reviewed within 24 hours, not 7 days.
High (immediate email) and Medium (daily digest). Low and Informational are handled during the Monday review — Correct. High gets immediate attention. Medium gets same-day attention. Low/Info gets weekly attention. This balances coverage with sustainability.
None — rely on the Monday review for everything — High-severity incidents can't wait 7 days. Notifications ensure critical events are seen promptly.
Question 7. Your weekly security log shows 13 consecutive "Normal week" entries. What does this demonstrate?
Active, structured monitoring with a stable security posture — evidence for the quarterly report and for any compliance audit that monitoring is operational and consistent — Correct. 13 clean weeks is positive evidence, not evidence that monitoring is unnecessary. The log demonstrates both the activity (weekly reviews conducted) and the outcome (no incidents detected).
Monitoring is unnecessary and can be stopped — Monitoring validates ongoing health. Stopping creates a detection gap.
The detection system isn't working because nothing is being detected — Clean weeks mean controls are working. Not every week produces incidents.
The monitoring cadence should be reduced to monthly — Monthly creates a 30-day detection gap. 15 minutes/week is already minimal.
Question 8. What is the total annual time commitment for the integrated monitoring cadence built in this module?
4-5 hours per week — nearly a full day of monitoring — Far more than needed. The structured cadence is 30-45 minutes per week.
Zero — everything is automated — Alert notifications automate critical event delivery. The Monday review adds human judgment. Both are needed.
2-3 hours per month — just the metric collection — This covers only the monthly task. Weekly reviews and quarterly reporting add more.
Approximately 28 hours per year — 15-minute weekly reviews (13 hours), occasional investigations (5 hours), monthly metrics (6 hours), and quarterly reports (4 hours) — sustainable alongside IT administration responsibilities — Correct. 28 hours per year for a complete security monitoring program. That's less than 1 hour per week averaged. The investment produces: documented security posture evidence, early incident detection, quarterly management reports, and compliance audit readiness.
💬
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
