A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?

Store the VM snapshots in object storage and review them manually during incidents.

Snapshots are useful for recovery, but they are not a substitute for continuous telemetry and alerting.

Enable only perimeter security groups and assume the cloud provider will collect all host telemetry.

Security groups control traffic, but they do not gather detailed OS activity or host-level process events.

Rely on the hypervisor console and disable guest-level logging to reduce overhead.

Guest logging is often required for detailed visibility, and the hypervisor console is not enough for security operations.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Deploy an endpoint logging agent and enable cloud-native flow logs to a centralized logging service. — The best first step is to deploy a logging agent on the VM and enable the provider's native flow logs, then forward both sources to a central logging platform. That combination provides the host-level details needed to see logon activity and process execution, while flow logs provide network context. Together, they support correlation and alerting without requiring the team to build telemetry from scratch. Why others are wrong: A focuses only on traffic control and misses the OS and process visibility the question requires. C is more useful for restoration than for ongoing monitoring, so it does not meet the operational goal. D assumes the hypervisor alone provides enough security detail, but host telemetry is still necessary for meaningful investigation and detection in a cloud instance.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.