This week addressed not "logging itself" but rather how to turn accumulated logs into signals, and signals into responses. Today we thread together four days' worth of tools — CloudWatch (threshold detection), Security Hub (aggregation, normalization, scoring), Athena/OpenSearch/Logs Insights (analysis), EventBridge/Security Lake (automation and integration) — into one flow and clarify the exam's boundaries that confuse tool selection. The key is not memorizing individual features but instantly answering "why is this tool the answer and that tool is not" for any given requirement.