Microsoft Security Operations Analyst Associate SC-200 Practice Question
Your organization is creating a new Microsoft Sentinel workspace. Compliance policy requires that all security event data remain searchable for 14 months. Security analysts routinely run interactive queries against the most recent 30 days of data but are willing to wait several hours when they need to investigate older events. You must meet the compliance requirement while keeping Microsoft Sentinel data-retention costs as low as possible. Which configuration should you implement in the Log Analytics workspace?
Create a second Log Analytics workspace in the same region, onboard it to Microsoft Sentinel, and forward data from the primary workspace for long-term retention.
Configure all high-volume tables to use Basic Logs with eight-day retention and retain the default 30-day workspace retention.
Set the workspace retention to 30 days and enable table-level data archive for the required tables for an additional 13 months.
Set the workspace's default retention period to 14 months and do not configure data archive.
Azure Monitor Logs keeps data in the hot/cold (interactive) tier for the number of days defined as the workspace retention period. The first 31 days are free; after that, standard retention charges apply. Data that ages out of the interactive tier can be moved automatically to the archive tier, where storage costs are much lower and data can be retained for up to 12 years. Archived data is still searchable by running asynchronous Search Jobs, which typically complete in minutes to hours-acceptable for infrequent investigations.
Setting the workspace retention to 30 days keeps the most frequently queried data in the interactive tier at standard cost, while enabling table-level archive for an additional 13 months meets the 14-month compliance requirement at a substantially lower cost than keeping all data in the interactive tier. Using Basic Logs cannot satisfy the 14-month requirement, and creating a second workspace introduces extra ingestion costs without providing any savings over archive storage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the differences between the hot/cold tier and archive tier in Azure Monitor Logs?
Open an interactive chat with Bash
How does table-level data archiving work in Microsoft Sentinel?
Open an interactive chat with Bash
What are Basic Logs in Microsoft Sentinel and why can't they satisfy the 14-month requirement?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage a security operations environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .