Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?
Trap 1: Syslog via AMA
Syslog focuses on Linux systems, not Windows.
Trap 2: Office 365 Logs
Office 365 Logs cover cloud app activity, not on-premises or VM authentication.
Trap 3: Azure Activity Log
Azure Activity Log provides resource management events, not OS-level authentication events.
- A
Syslog via AMA
Why wrong: Syslog focuses on Linux systems, not Windows.
- B
Office 365 Logs
Why wrong: Office 365 Logs cover cloud app activity, not on-premises or VM authentication.
- C
Windows Security Events via AMA
Captures security events like logons, which are critical for lateral movement detection.
- D
Azure Activity Log
Why wrong: Azure Activity Log provides resource management events, not OS-level authentication events.