What should you configure?

Your network contains an Active Directory domain named contoso.com.

You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.

You install the ATA Center on server named Server1 and the ATA Gateway on a server named Served.

You need to ensure that Server2 can collect NTLM authentication events.

What should you configure?
A . the domain controllers to forward Event ID 4776 to Server2
B . the domain controllers to forward Event ID 1000 to Server1
C . Server2 to forward Event ID 1026 to Server1
D . Server1 to forward Event ID 1000 to Server2

View Answer

Answer: A

Explanation:

https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architectureATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using physical or virtual switches. If you deploy the ATA Lightweight Gateway directly on your domain controllers, it removes the requirement for port mirroring. In addition, ATA can leverage Windows events (forwarded directly from your domain controllers or from a SIEM server) and analyze the data for attacksand threats. See the GREEN line in the following figure, forward event ID 4776 which indicates NTLM authenticationis being used to ATA Gateway Server2.