Final assessment (10 questions)
1. When does an organization need Sentinel in addition to Defender XDR?
When they have non-Microsoft data sources, need custom detection rules, have compliance mandates for centralized logging, or need automated response beyond Defender XDR's attack disruption
Always — every organization needs a SIEM
Never — Defender XDR is sufficient
Sentinel adds cost and complexity. Deploy it when you have a concrete requirement: third-party data, custom detections, compliance, or advanced automation. A Microsoft-only environment with no compliance mandates may not need it.
2. You need to store EU employee sign-in data in an EU region. What is the correct architecture?
Single workspace in the US with an EU filter
Move the existing workspace to the EU
Create a second workspace in West Europe for EU data. Use cross-workspace queries for unified hunting. Workspaces cannot be moved between regions.
Data residency requires a workspace in the required region. Cross-workspace queries (using the workspace() function) enable unified hunting across both workspaces, though with some performance overhead.
3. DeviceFileEvents uses 45 GB/month. You have no analytics rules against it. What is the cost-optimized approach?
Move it to Basic tier — saves ~65% while keeping simple query access for ad-hoc investigation. Verify no existing rules reference this table before changing.
Delete the data
Keep it on Analytics
Basic tier is the right balance for high-volume, low-detection-value tables. You can still query with where, project, and take during investigations. The 65% savings on 45 GB/month is significant.
4. Your workspace ingests 70 GB/day. Should you commit to the 100 GB/day tier?
Yes — the per-GB rate is lower
Yes — you will grow into it
No — at 70 GB/day, pay-as-you-go costs less than the 100 GB commitment. The commitment charges for 100 GB whether you use it or not. Wait until you consistently exceed 85+ GB/day.
Math: 70 GB × $5.52 (PAYG) = $386/day. 100 GB × $4.60 (commitment) = $460/day. You would pay $74/day MORE for the "discount." Commitment tiers only save money when actual usage meets the threshold.
5. You enabled the M365 Defender connector but did not enable DeviceFileEvents. When would you add it?
When you build a detection rule that requires file-level endpoint data, or when investigating malware that requires file creation/modification analysis. Adding it before you have a specific use case wastes budget.
Immediately — you need all data
Never — device data is not useful
Enable data sources when you have a detection or investigation use case for them. DeviceFileEvents is essential for malware analysis and file-based threat detection, but if you are not building those rules yet, the ingestion cost is premature.
6. What is the critical danger of a silent ingestion failure in SigninLogs?
Every analytics rule that depends on sign-in data becomes blind. Token replay, brute force, and impossible travel detections stop working. Investigation queries return incomplete results, which analysts may misinterpret as "nothing happened" rather than "data is missing."
Users cannot sign in
Dashboard charts show gaps
Silent failures are the most dangerous failure mode. The system appears to be working — no errors, no alerts. But the data is not arriving, which means detections are not firing. The only way to catch this is proactive ingestion monitoring.
7. You install a Content Hub solution. The analytics rules start detecting immediately. True or false?
True
False — solutions install rule templates, not active rules. You must manually review, tune, and activate each rule.
The two-step process prevents untested rules from flooding your incident queue. Install the solution, then review each template: run the query, check the volume, verify entity mapping, adjust severity, then activate.
8. Why apply a CanNotDelete resource lock to the workspace?
A deleted workspace takes all security data with it. Recovery is limited to 14 days. The lock prevents accidental deletion by any user with Contributor access.
Azure requires it
It improves performance
Cheap insurance against catastrophic data loss. Anyone with Contributor or Owner access to the resource group can delete resources. The lock adds one extra step (remove the lock first) that prevents accidental deletion.
9. Firewall logs are generating 35 GB/day. What are two actions to reduce cost?
First: deploy a Data Collection Rule to filter at ingestion — keep only denied, IDS, and URL filtering events. Second: move the remaining firewall table to Basic tier if you do not build detection rules against it.
Disconnect the firewall and use Defender XDR instead
Upgrade to a higher commitment tier
DCR filtering reduces volume before ingestion (you never pay for dropped data). Basic tier reduces the per-GB cost for what remains. Together, they can reduce firewall data costs by 80-90% while retaining security-relevant events.
10. You configured the Entra ID diagnostic settings to send SigninLogs but forgot NonInteractiveUserSignInLogs. Which detection from Module 13 will fail?
Phishing email detection
Inbox rule detection
Token replay detection — the anti-join pattern queries AADNonInteractiveUserSignInLogs for IPs not in the interactive baseline. Without this table, stolen token activity is invisible.
This connects Module 5 (configuration) to Module 13 (investigation). A configuration decision (which diagnostic settings to enable) directly determines your detection capability. Enable both sign-in log types — always.
