Implement Microsoft Defender for Identity to monitor a server

Written by John Gruber Published on Last Updated on

You have an on-premises infrastructure that contains the following:

An Active Directory domain with a domain controller named ServerA.
A server named ServerB that's not a domain controller.

A security policy is configured that prevents ServerA from connecting to the Internet. ServerB can connect to the Internet.

You've been tasked with implementing Microsoft Defender for Identity to monitor ServerA.

How should you configure the servers?

Configure a port mirroring source on ServerB

Configure a port mirroring source on ServerA

Install the Microsoft Defender for Identity standalone sensor on ServerB

Install the Microsoft Defender for Identity Sensor on ServerA

Install the Microsoft Defender for Identity Sensor on ServerB

Configure an event subscription on ServerA

Install the Microsoft Defender for Identity standalone sensor on ServerA

Configure an event subscription on ServerB

Click to show answer

This question/answer is only relevant if you deploy Microsoft Defender for Identity standalone sensors instead of Defender for Identity sensors.

In short, you need to configure port mirroring on each server to be monitored. Then install a standalone sensor. Finally, configure an event collection/subscription on the server that can connect to the internet.

< Previous Next > Skip Exam >>