ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 30 discussion

Actual exam question from Microsoft's SC-200
Question #: 30
Topic #: 3
[All SC-200 Questions]

You have the following environment:

Azure Sentinel -

✑ A Microsoft 365 subscription
✑ Microsoft Defender for Identity
✑ An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
  • B. Modify the permissions of the Domain Controllers organizational unit (OU).
  • C. Configure auditing in the Microsoft 365 compliance center.
  • D. Configure Windows Event Forwarding on the domain controllers.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by Eltooth at Oct. 1, 2021, 3:12 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Eltooth
Highly Voted 3 years, 7 months ago
Correct - A & D
upvoted 14 times
...
DChilds
Highly Voted 1 year ago
I am confused by the part of the question that says, "You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers." I am thinking this means Sentinel is already ingesting the logs, why would you still need to configure Windows Event Forwarding in this case? I get that the other options may be irrelevant to the question but the three options don't really make sense as options to me (B-D). Anybody else see that?
upvoted 5 times
VeiN
6 months, 2 weeks ago
Yes there is no proper 2nd answer (A is correct) 2nd answer should be: Go to aka.ms/de portal > Settings > Identities > (Entity tags) Sensitive > Groups > + tag groups (add groups that are sensitive)
upvoted 1 times
...
...
chepeerick
Most Recent 1 year, 6 months ago
Correct option
upvoted 1 times
...
[Removed]
2 years, 2 months ago
Selected Answer: AD
A. To enable auditing for sensitive groups, you need to configure the Advanced Audit Policy Configuration settings for the domain controllers. This can be done by modifying the Default Domain Controllers Policy in the Group Policy Management Console (GPMC) and enabling the "Audit Detailed Directory Service Replication" policy under "Advanced Audit Policy Configuration\DS Access". This will generate audit events when sensitive groups are modified. D. Windows Event Forwarding can be used to forward the audit events generated by the domain controllers to Azure Sentinel for analysis. This involves configuring a subscription on the domain controllers and a collection rule in Azure Sentinel to collect the forwarded events.
upvoted 3 times
...
SuperGraham
2 years, 4 months ago
Selected Answer: AD
A & D are the correct anwsers
upvoted 2 times
...
Apocalypse03
2 years, 4 months ago
Answer is correct.- Simple!
upvoted 1 times
...
Metasploit
2 years, 6 months ago
Selected Answer: AD
Answer is correct. A: Configure the Advanced Audit Policy Configuration settings for the domain controllers For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy settings. https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection D: Configure Windows Event Forwarding on the domain controllers. To enhance detection capabilities, Defender for Identity needs the Windows events listed in Configure event collection. These can either be read automatically by the Defender for Identity sensor or in case the Defender for Identity sensor is not deployed, it can be forwarded to the Defender for Identity standalone sensor in one of two ways, by configuring the Defender for Identity standalone sensor to listen for SIEM events or by configuring Windows Event Forwarding. https://learn.microsoft.com/en-us/defender-for-identity/configure-event-forwarding
upvoted 4 times
...
Xyz_40
2 years, 7 months ago
correct A,D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago