Forum Discussion

FlynnKeilty's avatar
FlynnKeilty
Copper Contributor
Oct 21, 2020

Limit Advanced Threat Protection to one domain

Greetings,

 

We use Azure Advanced Threat Protection outside of Azure Security Center. We view the information in a stand alone ATP area.

 

We have several forests but only want to protect one.

 

Does anyone know of a way to limit the scan to 1 forest?

 

Thanks,

 

Flynn

7 Replies

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Oct 21, 2020

    FlynnKeilty If the forests do not have trust between them, and you only install sensors on the one you want to protect, it should work.

    If you have trust, then it does not make sense to "protect just one" because you won't be if you "monitor just one". an attacker can easily attack from one of the other forests and you won't be able to see it.

     

    • Nonsaho's avatar
      Nonsaho
      Copper Contributor
      Feb 23, 2021
      What if you have a trust with a sister company with their own MDI instance? We are getting flagged in secure score that the sensor is missing on over 130 DC which is a bit annoying. They are protecting their environment and we are protecting our environment, which generally works well.
      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Feb 24, 2021

        Nonsaho In this case you are both losing.

         

        Once you have trust/connected networks,  those are not really separated entities...
        Attackers can move in between them freely, 
        If they can, they will use a machine from company A to attack company B , they won't care that those are 2 companies...

        From MDI perspective/security perspective, it makes sense to protect both companies  using a single MDI tenant.


        If running like this, it will work, but you will lose detection for cross company attacks...