Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the on a server named Server2.
You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?
A.
the domain controllers to forward Event ID 1000 to Server1
B.
the domain controllers to forward Event ID 4776 to Server2
C.
Server1 to forward Event ID 1000 to Server2
D.
Server2 to forward Event ID 1026 to Server1
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using physical
or virtual switches.
If you deploy the ATA Lightweight Gateway directly on your domain controllers, it removes the requirement for
port mirroring.
In addition, ATA can leverage Windows events (forwarded directly from your domain controllers or
from a SIEM server) and analyze the data for attacks
and threats.
See the GREEN line in the following figure, forward event ID 4776 which indicates NTLM authentication
is being used to ATA Gateway Server2.
