ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.1: Logging and MonitoringDomain 1MonitoringCost OptimizationSentinel

AZ-305 · Question 03 · Domain 1.1: Logging and Monitoring

Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ingests 500 GB of data daily.

You are tasked with optimizing costs. You notice that 300 GB of the daily ingestion consists of network firewall flow logs. These logs are rarely queried for active threat hunting but must be retained for 3 years for compliance audits. When they are needed for audits, a query response time of up to 24 hours is acceptable.

Which cost optimization strategy should you recommend for the firewall logs?

Answer options:

A.

Move the workspace to a Capacity Reservation tier of 500 GB/day.

B.

Configure the firewall log tables to use the Basic Logs data plan and configure a Search Job when data is needed.

C.

Export the logs to an Azure Storage account using the Archive tier and delete them from Log Analytics.

D.

Configure a Data Collection Rule (DCR) to filter out the firewall logs before ingestion.

How to approach this question

Look for the Azure Monitor feature designed for high-volume, rarely queried logs that still need to be accessible within the workspace.

Full Answer

B.Configure the firewall log tables to use the Basic Logs data plan and configure a Search Job when data is needed.✓ Correct
Configure the firewall log tables to use the Basic Logs data plan and set the workspace retention to 3 years.
Basic Logs is a data plan in Azure Monitor designed for high-volume, verbose logs that are used for debugging, troubleshooting, and auditing, but not for immediate analytics or alerts. They are significantly cheaper to ingest than Analytics logs. When you need to query Basic Logs, you can run a Search Job, which is an asynchronous query that pulls the data into a temporary table.

Common mistakes

Choosing Storage Account export. While cheaper, Microsoft's Well-Architected Framework recommends Basic Logs for this exact scenario to keep data within the Sentinel/Monitor ecosystem.
02All questions04

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...HardQ06Your organization uses Microsoft Entra ID Premium P2. You are designing a Conditional Access stra...Medium
View all 55 questions →