A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?

Rely only on the cloud provider's service health dashboard and billing alerts.

Service health and billing data do not provide the detailed security telemetry needed for host-level investigations.

Encrypt the virtual machine disks and disable all logging to reduce exposure.

Encryption protects data at rest, but disabling logs removes the evidence needed for detection and response.

Install only a web application firewall because that covers server log collection.

A WAF helps protect web traffic, but it does not replace OS auditing or cloud flow logging for host and network visibility.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Enable guest OS audit logging and cloud-native flow logs, then forward the data to the SIEM. — The team needs both host-level and cloud-level visibility. Guest OS audit logging captures logons, process execution, and other internal activity on the VM. Cloud-native flow logs add network connection metadata that is often missing from the operating system alone. Sending both sources to the SIEM supports correlation, alert validation, and incident investigation. This is a practical cloud security design because it aligns telemetry with the shared responsibility model. Why others are wrong: Option A does not provide security telemetry at the necessary depth. Option C protects storage but actively harms detection capability. Option D addresses web traffic protection only and does not collect the system and network logs the team specifically needs.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.