Forum Discussion

FlynnKeilty's avatar
FlynnKeilty
Copper Contributor
Oct 21, 2020

Limit Advanced Threat Protection to one domain

Greetings,   We use Azure Advanced Threat Protection outside of Azure Security Center. We view the information in a stand alone ATP area.   We have several forests but only want to protect one. ...
Nonsaho's avatar
Nonsaho
Copper Contributor
Feb 23, 2021
What if you have a trust with a sister company with their own MDI instance? We are getting flagged in secure score that the sensor is missing on over 130 DC which is a bit annoying. They are protecting their environment and we are protecting our environment, which generally works well.
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Feb 24, 2021

Nonsaho In this case you are both losing.

 

Once you have trust/connected networks,  those are not really separated entities...
Attackers can move in between them freely, 
If they can, they will use a machine from company A to attack company B , they won't care that those are 2 companies...

From MDI perspective/security perspective, it makes sense to protect both companies  using a single MDI tenant.


If running like this, it will work, but you will lose detection for cross company attacks...

 

  • Nonsaho's avatar
    Nonsaho
    Copper Contributor
    Feb 24, 2021
    Thanks for your reply. It is actually not that easy. These companies are two different legal entities and can’t come together under one MDI instance. I guess the solution is lacking this required option to exclude domains if two or more companies are responsible for their own environment. I fully understand that from a technical point of view, but the reality looks different.
    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Feb 24, 2021

      Nonsaho 
      The reality is that the attacker  won't care those are 2 separate legal entities, it might even be an advantage for the attacker...
      But I understand that some customers  will prefer to have limited security due to this situation and "dismiss" the alert for specific domains.


      Adding Or Tsemah  from Product for this feedback.

      • Or Tsemah's avatar
        Or Tsemah
        Former Employee
        Feb 24, 2021

        EliOfek 

        The secure score control (using MDI data) will show any DCs (and soon AD FS servers) that *should* be monitored by the MDI sensor in order for the organization to be considered protected and gain the point, we are excluding discovered DCs where the domains has a 1-way external trust, as this means that no entities from the the other domain can cause issues ("they trust us but we do not trust them")

        If this is not the case and you're willing to accept the risk, you can close that control or mark it as resolved through 3rd party.

         

        With that said, we are evaluating how to provide more granular exclusion options but there is no ETA that i can currently share