Exam MS-500 topic 2 question 1 discussion

DRAG DROP -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.
You receive the following alerts:
✑ Suspected Netlogon privilege elevation attempt
✑ Suspected Kerberos SPN exposure
✑ Suspected DCSync attack
To which stage of the cyber-attack kill chain does each alert map? To answer, drag the appropriate alerts to the correct stages. Each alert may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Suggested Answer:
Box 1: Compromised credential -
The following security alerts help you identify and remediate Compromised credential phase suspicious activities detected by Defender for Identity in your network.
In this tutorial, you'll learn how to understand, classify, remediate and prevent the following types of attacks:
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) (external ID 2411)
Suspected Kerberos SPN exposure (external ID 2410)
Etc.

Box 2: Compromised credential -

Box 3: Domain dominance -
The following security alerts help you identify and remediate Domain dominance phase suspicious activities detected by Defender for Identity in your network. In this tutorial, learn how to understand, classify, prevent, and remediate the following attacks:
Suspected DCSync attack (replication of directory services) (external ID 2006)
Etc.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts https://docs.microsoft.com/en-us/defender-for-identity/domain-dominance-alerts