Just-in-time (JIT) VM access and network layer threat detections are features of Microsoft Defender for Cloud (formerly Azure Security Center "Azure Defender" plans). These capabilities are enabled by turning on the relevant Defender plans at the subscription level, which then apply to resources in that subscription.
Workspace- or individual resource-level enablement won't activate JIT or the broad network detections across your estate.

Defender for Cloud depends on the Log Analytics agent.
Use the Log Analytics agent if you need to:
* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure
* Etc.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/os-coverage
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#log-analytics-agent

Explanation:

To determine whether a device is being accessed remotely by an attacker, analysts must inspect active network connections collected from the investigation package.
Microsoft Defender for Endpoint investigation packages contain a NetworkConnections.txt file that includes all established, listening, and closed network sessions, including remote IP addresses, ports, and associated processes.
Microsoft's official Defender for Endpoint documentation states:
"The investigation package includes a list of active network connections at the time of collection, helping analysts identify potential remote access activity or suspicious outbound connections." By reviewing the network connections folder/file, you can check for any live sessions to external IPs, RDP, SSH, or other remote-control tools indicating an attacker's presence.
Data Point 2: When was File1.exe first executed?
# Verified Answer = Prefetch files
To find when a file was first executed, you use Prefetch files.
Windows Prefetch is a forensic artifact that records metadata about executables that have been launched, including:
* The first and last execution timestamps
* The number of times executed
* The path and hash of the executable
Microsoft's forensic analysis guidance for Defender investigation packages specifies:
"Prefetch files provide information on when applications were first and last executed, which assists in establishing file execution timelines during investigations." Therefore, to determine when File1.exe was first executed, you should analyze the Prefetch files contained within the investigation package.
# Final Verified Answers:
Forensic Data Point
Folder/File to Review
Is an attacker currently accessing Device1 remotely?
Network connections
When was File1.exe first executed?
Prefetch files
Summary:
* Network connections # Identify active remote sessions (possible attacker access)
* Prefetch files # Determine first execution time of suspicious executable These answers align with Microsoft Defender for Endpoint investigation package structure and Microsoft 365 E5 SecOps documentation.

If you manually install the Log Analytics agent on your AWS Linux VMs and connect them to your Azure Log Analytics workspace, Defender for Cloud can begin collecting telemetry data from those machines.
Once connected, Azure Defender automatically protects and monitors them, even if they are hosted outside Azure.
Microsoft Defender for Cloud documentation explains:
"You can manually install the Log Analytics agent on non-Azure machines and connect them to your workspace. Once connected, Defender for Servers will begin applying protections and generating alerts." Although Azure Arc provides centralized management and auto-provisioning, manually installing the Log Analytics agent is a valid and supported alternative method. Therefore, this solution also meets the goal.
# Correct answer: A. Yes

Explanation:

In Microsoft Sentinel, each workspace acts as a logical container for security data and analytics. When integrating Sentinel across organizations or environments-such as between Contoso and Fabrikam-each Azure subscription needs at least one Log Analytics workspace that Sentinel can attach to. This workspace becomes the data repository for logs and analytics rules.
Therefore, Fabrikam requires a minimum of one Log Analytics workspace to onboard Microsoft Sentinel and begin collecting and analyzing data. Multiple workspaces may be used for isolation or region-specific requirements, but one is sufficient for a functional deployment.
To query and correlate data between multiple workspaces or tenants, Sentinel uses the workspace() KQL function. This function allows cross-workspace queries, letting you pull data from different Sentinel instances for investigation or threat correlation. For example:
union workspace("FabrikamWorkspace").SecurityEvent, workspace("ContosoWorkspace").SecurityEvent
| summarize count() by Account
This KQL syntax enables cross-tenant or cross-subscription correlation when Defender or Sentinel workspaces are connected through proper permissions (e.g., Azure Lighthouse or cross-tenant data access).
# Final Answers:
* Minimum number of Log Analytics workspaces: 1
* Query element required to correlate data between tenants: workspace