A company is designing a security operations strategy. They want to use Microsoft Sentinel to detect and respond to threats across their hybrid environment. They need to ensure that logs from all sources are collected cost-effectively and that analysts can easily query data. Which data ingestion strategy should they recommend?
Balances cost and functionality; Basic logs for low-value data, Analytics for actionable data.
Why this answer
Option D is correct because it balances cost and query performance by routing high-value security logs (e.g., Windows Security Events, network logs) to the Analytics logs table for full KQL query capabilities and retention, while sending verbose, low-security-value logs (e.g., DNS debug, firewall flow logs) to the Basic logs table, which offers lower ingestion cost and limited query features (e.g., no KQL summarization). This tiered approach ensures analysts can efficiently hunt on critical data without incurring unnecessary costs for voluminous, less actionable logs.
Exam trap
The trap here is that candidates assume 'cost-effective' means using only the cheapest option (Basic logs) or only the most capable option (Analytics logs), failing to recognize that Microsoft Sentinel’s tiered ingestion model is designed specifically to optimize cost versus query capability by separating high-value and low-value log sources.
How to eliminate wrong answers
Option A is wrong because sending all logs to the Basic logs table would severely limit query capabilities—Basic logs support only simple search and no KQL aggregation functions like summarize or make-series—making threat hunting and advanced analytics impractical. Option B is wrong because sending only Windows Security Events ignores other critical sources like Azure Activity logs, network logs, and third-party security appliances, creating blind spots in the hybrid environment and violating the requirement to detect threats across all sources. Option C is wrong because sending all logs to the Analytics logs table would incur high ingestion and retention costs for verbose logs (e.g., DNS queries, firewall flow logs) that have low security value, contradicting the cost-effectiveness requirement.