Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)
Direct indicator of replication request.
Why this answer
Options A and D are correct. A: Replication from a non-DC indicates DCSync. D: Event 4662 with DS-Replication-Get-Changes is characteristic.
B is for Kerberos. C is for account creation. E is for logon failure.