Module 8 — Check My Knowledge (20 questions)
1. You have a new Sentinel workspace. Which two connectors should you enable first for an M365 environment?
Microsoft Entra ID and Microsoft Defender XDR. Entra ID provides sign-in and audit logs (the foundation of every identity investigation). Defender XDR provides alerts, incidents, and Advanced Hunting tables from all Defender products. Together, they cover 80% of investigation needs.
Syslog and CEF
Windows Security Events and DNS
Custom logs and threat intelligence
Identity + XDR first. These provide the broadest detection and investigation coverage at the lowest deployment effort.
2. Why is the Azure Activity connector deployed through Azure Policy?
Azure Activity logs are per-subscription. Azure Policy automates the diagnostic setting deployment across all current and future subscriptions. A simple toggle would only connect one subscription.
Azure Policy is more secure
It is the only supported method
Azure Activity generates too much data for direct connection
Per-subscription scope requires per-subscription configuration. Azure Policy handles current and future subscriptions automatically.
3. After enabling Defender XDR bi-directional sync, you see duplicate incidents. What is the fix?
Disable the "Microsoft Security" analytics rules that create incidents from Defender product alerts. With sync enabled, Defender XDR incidents are already synchronised — the analytics rules are redundant.
Disable bi-directional sync
Delete duplicates manually
This is expected behaviour
Disable the redundant analytics rules. Bi-directional sync is the preferred incident creation mechanism for Defender alerts.
4. What are the three Windows Security Event collection levels in a DCR?
All Events (everything — highest volume), Common (security-relevant subset — recommended for most SOC operations), and Minimal (critical events only — lowest volume). Custom XPath is a fourth option for granular Event ID selection.
High, Medium, Low
Verbose, Standard, Quiet
Full, Filtered, None
All Events, Common, Minimal — plus Custom XPath for precision. Common is the default recommendation for SOC operations.
5. What is the role of a Linux log forwarder in the CEF architecture?
The log forwarder receives Syslog messages from CEF devices, runs AMA which parses the CEF-formatted messages into structured fields, and sends the structured data to Sentinel. It bridges the protocol gap between Syslog (what devices output) and the Azure Monitor pipeline (what Sentinel consumes).
It stores CEF data locally for backup
It filters malicious events
It replaces AMA
Protocol bridge: Syslog from devices → AMA parsing on forwarder → structured data to workspace.
6. What is the difference between CEF and Syslog?
CEF is a structured format carried over Syslog. CEF messages have a defined header (CEF:0|Vendor|Product|...) that AMA parses into structured columns in CommonSecurityLog. Plain Syslog messages are unstructured text that land in the Syslog table and require KQL parsing to extract fields.
They are the same thing
CEF is newer and replaces Syslog
Syslog is more secure than CEF
CEF = structured format, Syslog = transport. CEF → CommonSecurityLog (structured). Plain Syslog → Syslog table (unstructured).
7. What are the three components of a Data Collection Rule?
Data sources (what to collect), transformations (KQL-based filtering and modification at ingestion time), and destinations (which workspace or table to send the data to). DCRs control the entire ingestion pipeline from source to destination.
Agent, connector, and table
Authentication, encryption, and routing
Source, buffer, and sink
Sources, transformations, destinations. DCRs define what, how, and where for all AMA-based data ingestion.
8. You deploy a DCR transformation that filters 40% of SecurityEvent data. Can you recover filtered events later if needed?
No. DCR transformations filter data before ingestion. Filtered events are never stored in the workspace and cannot be recovered from Sentinel. The only recovery path is the source system itself (the Windows host's local Security Event Log, if it has not been overwritten).
Yes — restore from Archive tier
Yes — Microsoft retains filtered data for 30 days
Yes — run a search job
Filtered = permanently lost from Sentinel. Archive and search jobs only work on data that was ingested. Test transformations against historical data before deploying.
9. A SaaS application can send webhooks but has no Sentinel connector. How do you ingest its events?
Use the Logs Ingestion API. Create a custom table, Data Collection Endpoint (DCE), and Data Collection Rule (DCR). Configure the SaaS webhook to POST JSON events to the DCE. The DCR processes and routes data to the custom table.
Install AMA on the SaaS platform
Use the Syslog connector
This data cannot be ingested
The Logs Ingestion API is the universal answer for data sources without built-in connectors. Any application that can make HTTPS POST requests can send data to Sentinel.
10. The Entra ID connector was enabled 30 minutes ago. SigninLogs returns zero results. What do you check first?
Check whether the tenant has Entra ID P1 or P2 licences (required for sign-in logs). Then check for conflicting diagnostic settings in Azure portal → Entra ID → Diagnostic settings that may be sending data to a different workspace.
Wait 24 hours
Restart Sentinel
Deploy AMA
Licence check first, then diagnostic setting conflict. Data should appear within 5-15 minutes. AMA is not involved in the Entra ID connector.
11. Your firewall sends both accept and deny logs via CEF (30 GB/day). Analytics rules only query deny events. How do you reduce cost?
Configure the firewall to send only deny/drop/block events (source-level filtering). If the firewall cannot filter, apply a DCR transformation to exclude events where DeviceAction is "allow" or "accept." Both approaches eliminate high-volume accept logs while preserving the deny logs analytics rules query.
Move CommonSecurityLog to Basic tier
Set a daily cap
Disconnect the firewall
Source-level filtering first, DCR transformation as backup. Both reduce volume while preserving security-relevant events.
12. What table does CEF data land in?
CommonSecurityLog. CEF messages are parsed by AMA into structured columns: DeviceVendor, DeviceProduct, DeviceAction, SourceIP, DestinationIP, DestinationPort, and others. This structured format enables efficient KQL queries without manual parsing.
Syslog
SecurityEvent
SecurityAlert
CommonSecurityLog for CEF. Syslog for non-CEF Syslog messages. SecurityEvent for Windows. SecurityAlert for alerts from security products.
13. What is the recommended Syslog collection configuration for security operations on a Linux web server?
auth and authpriv at info level (all authentication events), daemon at warning level (service failures), kern at warning level (kernel security events). This provides security visibility while excluding high-volume info and debug messages from non-security facilities.
All facilities at debug level
Only auth at emerg level
Only kern at all levels
Selective facility and level for security coverage at manageable volume.
14. Your organisation still uses the legacy Log Analytics Agent on 500 servers. What should you do?
Plan a phased migration to Azure Monitor Agent (AMA). Deploy AMA alongside the legacy agent on a pilot group, configure equivalent DCRs, verify data parity, then scale to all servers and remove the legacy agent. The legacy agent is deprecated and does not support DCR transformations or Azure Policy deployment.
Keep the legacy agent — it still works
Remove legacy agent immediately
Wait for auto-migration
Phased migration with dual-agent overlap. No auto-migration exists.
15. SecurityEvent data stopped 3 hours ago. Connector shows "Connected." AMA Heartbeat is OK. What next?
Check the Data Collection Rule. The DCR may have been disassociated from the VM or its configuration was modified (collection level changed, Security source removed). Also check the workspace daily cap. With the agent running and the connector configured, the DCR is the most likely failure point.
Restart Sentinel
Reinstall AMA
Wait — data will resume
DCR check with agent running and connector configured. DCR disassociation or modification is the most common cause of "agent up, no data" scenarios.
16. CommonSecurityLog has events but DeviceVendor is empty. What is the cause?
The device is sending plain Syslog, not CEF-formatted messages. AMA writes events to CommonSecurityLog but cannot parse the structured CEF fields because the CEF header is missing or malformed. Fix: configure the device to output CEF format.
AMA needs updating
The DCR is wrong
CommonSecurityLog is on Basic tier
Empty structured fields = device not outputting CEF format. Fix at the source.
17. What is the Logs Ingestion API used for?
Ingesting data from custom applications, SaaS platforms, and any data source that cannot run an agent and does not have a built-in Sentinel connector. The API accepts JSON payloads over HTTPS and routes them through a DCR to a custom table in the workspace.
Querying Sentinel data via API
Managing Sentinel configuration
Exporting incidents to external systems
Custom data ingestion — the universal connector for any data source that can make HTTPS POST requests.
18. You have both OfficeActivity and CloudAppEvents ingesting Exchange data. How do you reduce the overlap?
Compare the event counts and field richness. CloudAppEvents (from Defender XDR connector) typically has richer fields for Exchange operations. If your analytics rules use CloudAppEvents for Exchange data, disable the Exchange toggle in the Office 365 connector to eliminate the duplicate ingestion. Keep OfficeActivity only if specific rules or queries depend on its format.
Disable both — they are redundant
Keep both — overlap does not increase cost
Move OfficeActivity to Basic tier
Eliminate the duplicate source. CloudAppEvents is typically the richer option for Exchange data. Overlap does increase cost — you pay for both copies.
19. What is the recommended Windows Security Event collection level for most SOC operations?
Common. It retains security-relevant events (logons, account management, process creation, privilege use, service installation) while excluding verbose audit success events. Reduces volume by 50-70% compared to "All Events" with minimal investigation impact.
All Events — comprehensive coverage
Minimal — lowest cost
None — rely on Defender for Endpoint
Common: the best balance of security coverage and cost. All Events is too verbose for most environments. Minimal misses too many events. MDE and SecurityEvent provide complementary data — both are valuable.
20. After deploying the complete ingestion pipeline, what is the most important ongoing operational practice?
Daily connector health monitoring. The shift-start health check (Module 7.11) verifies all connectors are delivering fresh data to all expected tables. Without this check, silent connector failures create blind spots that only surface during investigations when expected data is missing — by which time the gap may be days or weeks old.
Monthly cost reviews
Annual connector recertification
Adding new connectors every week
Daily health monitoring catches connector failures before they affect investigation capability. Cost reviews and connector recertification are important but less frequent. The daily check is the operational heartbeat.
