Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Gateway on a server named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events.
You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter?
A.
Event log to configure: Application
B.
Event log to configure: Directory Services
C.
Event log to configure: Security
D.
Event log to configure: System
E.
Event ID to include: 1000
F.
Event ID to include: 1009
G.
Event ID to include: 1025
H.
Event ID to include: 4776
I.
Event ID to include: 4997
Explanation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
To enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729,
4756, 4757.These can either be read automatically by the ATA Lightweight Gateway or in case the ATA Lightweight
Gateway is not deployed,
it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEM
events or by configuring Windows Event Forwarding.Event ID: 4776 NTLM authentication is being used against domain controller
Event ID: 4732 A User is Added to Security-Enabled DOMAIN LOCAL Group,
Event ID: 4733 A User is removed from Security-Enabled DOMAIN LOCAL Group
Event ID: 4728 A User is Added or Removed from Security-Enabled Global Group
Event ID: 4729 A User is Removed from Security-Enabled GLOBAL Group
Event ID: 4756 A User is Added or Removed From Security-Enabled Universal Group
Event ID: 4757 A User is Removed From Security-Enabled Universal Group
