Microsoft 365 Security Administration — Question 83

Your network contains an on-premises Active Directory domain. The domain contains servers that run Windows Server and have advanced auditing enabled.
The security logs of the servers are collected by using a third-party SIEM solution.
You purchase a Microsoft 365 subscription and plan to deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified and when malicious services are created.
What should you do?

Answer options

• A. Configure Event Forwarding on the domain controllers.
• B. Configure auditing in the Office 365 Security & Compliance center.
• C. Turn on Delayed updates for the Microsoft Defender for Identity sensors.
• D. Enable the Audit account management Group Policy setting for the servers.

Correct answer: A

Explanation

The correct answer is A, as configuring Event Forwarding on the domain controllers will ensure that security events related to sensitive groups and potential security threats are forwarded to the SIEM solution for monitoring. Options B and C are not relevant to on-premises Active Directory monitoring, while D pertains to auditing account management but does not facilitate the necessary event forwarding to detect the required modifications.