You have a Microsoft 365 subscription and Microsoft 365 E5 licenses assigned to your users.
You have installed Microsoft Defender for Identity sensors on a domain controller.
You validate the installation and notice that the service “Azure Advanced Threat Protection sensor” is not running.
You need to investigate why.
Where should you look?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C
After you have installed and configured the Microsoft Defender for Identity sensors on a domain controller, you can view the error output in the "Microsoft.Tri.sensor-Errors.log" file.
This log contains only the issues and errors detected by the Defender for Identity sensors.
Option A is incorrect.The Microsoft Defender for Identity Reports provides you with system and entity status information, not detailed information regarding the sensor installation.
Option B is incorrect.
The application events on the domain controller will not display detailed information about Microsoft Defender for identity sensor error.
Option D is incorrect.
Cloud App Security - Activity log gives you security related events and alerts in your tenant.
To know more about Defender for Identity installation, please refer to the link below:
The correct answer is C. Review the "Microsoft.Tri.sensor-Errors.log" file under "%programfiles%\Azure Advanced Threat Protection sensor\Version X\Logs”.
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection) is a cloud-based security solution that detects and alerts on suspicious activities across your hybrid enterprise. The solution includes sensors that are installed on domain controllers, which monitor the domain controller's event logs for signs of suspicious activity.
In this scenario, you have installed Microsoft Defender for Identity sensors on a domain controller and noticed that the "Azure Advanced Threat Protection sensor" service is not running. To investigate why, you need to look for error messages that may have been generated by the sensor. The recommended location to look for these error messages is the "Microsoft.Tri.sensor-Errors.log" file, which is located under "%programfiles%\Azure Advanced Threat Protection sensor\Version X\Logs”. This log file contains detailed information about any errors that may have occurred during the sensor installation or operation.
Option A, the Microsoft Defender for Identity portal - Reports, provides a comprehensive view of the security events detected by Microsoft Defender for Identity. However, it does not provide information about the status of individual sensors.
Option B, on the domain controller where the sensor is installed - Event logs - Application events, may contain event logs related to the sensor's operation. However, these logs may not be as detailed as the "Microsoft.Tri.sensor-Errors.log" file.
Option D, Cloud App Security - Activity log, is not relevant to investigating why the "Azure Advanced Threat Protection sensor" service is not running. Cloud App Security is a separate security solution that provides visibility and control over cloud applications and services.
In summary, to investigate why the "Azure Advanced Threat Protection sensor" service is not running, you should review the "Microsoft.Tri.sensor-Errors.log" file under "%programfiles%\Azure Advanced Threat Protection sensor\Version X\Logs”.