Forum Discussion
Limit Advanced Threat Protection to one domain
MicrosoftFlynnKeilty If the forests do not have trust between them, and you only install sensors on the one you want to protect, it should work.
If you have trust, then it does not make sense to "protect just one" because you won't be if you "monitor just one". an attacker can easily attack from one of the other forests and you won't be able to see it.
- What if you have a trust with a sister company with their own MDI instance? We are getting flagged in secure score that the sensor is missing on over 130 DC which is a bit annoying. They are protecting their environment and we are protecting our environment, which generally works well.
- EliOfek
Nonsaho In this case you are both losing.
Once you have trust/connected networks, those are not really separated entities...
Attackers can move in between them freely,
If they can, they will use a machine from company A to attack company B , they won't care that those are 2 companies...
From MDI perspective/security perspective, it makes sense to protect both companies using a single MDI tenant.
If running like this, it will work, but you will lose detection for cross company attacks...- Thanks for your reply. It is actually not that easy. These companies are two different legal entities and can’t come together under one MDI instance. I guess the solution is lacking this required option to exclude domains if two or more companies are responsible for their own environment. I fully understand that from a technical point of view, but the reality looks different.
