SOLVED

ATP Sensor Requirment

%3CLINGO-SUB%20id%3D%22lingo-sub-1589007%22%20slang%3D%22en-US%22%3EATP%20Sensor%20Requirment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589007%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20have%20a%20domain%20with%20100%2B%20servers.%20So%20do%20we%20need%20to%20install%20ATP%20Sensor%20for%20all%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589374%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Sensor%20Requirment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589374%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644958%22%20target%3D%22_blank%22%3E%40aussupport%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20ATP%20only%20needs%20to%20be%20deployed%20on%20the%20Domain%20controllers%20to%20monitor%20the%20environment%2C%20it's%20important%20to%20install%20on%26nbsp%3B%3CU%3Eall%3C%2FU%3E%20of%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1590241%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Sensor%20Requirment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1590241%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%20Thanks.%20I%20understand%20that%20need%20to%20instal%20on%20DC's%20but%20why%20we%20need%20to%20install%20on%20all%20the%20DC's%3F%3C%2FP%3E%3CP%3Eif%20we%20have%20few%20DC's%20in%20each%20site%20can%20one%20of%20them%20not%20enough%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591132%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Sensor%20Requirment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591132%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644958%22%20target%3D%22_blank%22%3E%40aussupport%3C%2FA%3E%26nbsp%3BIt%20won't%20ensure%20that%20Azure%20ATP%20has%20the%20maximum%20chance%20of%20catching%20a%20malicious%20behavior.%3C%2FP%3E%0A%3CP%3EAlthough%20AD%20data%20is%20distributed%20between%20the%20DCs%2C%20Azure%20ATP%20also%20listen%20to%20network%20traffic%20for%20example%20for%20example%2C%20that%20is%20why%20having%20100%25%20coverage%20is%20crucial.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591882%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Sensor%20Requirment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591882%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644958%22%20target%3D%22_blank%22%3E%40aussupport%3C%2FA%3E%26nbsp%3Bit's%20the%20nature%20of%20the%20onPrem%20AD%2C%20the%20reason%20you%20have%20multiple%20DC's%20is%20to%20ensure%20HA%3F%20So%20what%20if%20a%20malicious%20login%20occurs%20against%20a%20DC%20that%20doesn't%20have%20the%20Sensor%20deployed%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20being%20said%2C%20even%20having%20the%20sensor's%20deployed%20to%2010%20-%2020%25%20of%20the%20DC's%20will%20give%20you%20some%20coverage%2C%20but%20the%20Question%20then%20is%20%22are%20you%20catching%20all%20the%20bad%20stuff%2C%20or%20are%20you%20missing%20something%20vital%3F%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps%3F%3C%2FP%3E%3CP%3EDave%20C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi All,

 

 I have a domain with 100+ servers. So do we need to install ATP Sensor for all? 

 

 

As 

4 Replies
Highlighted

@aussupport 

Azure ATP only needs to be deployed on the Domain controllers to monitor the environment, it's important to install on all of them

Highlighted

@Or Tsemah  Thanks. I understand that need to instal on DC's but why we need to install on all the DC's?

if we have few DC's in each site can one of them not enough? 

Highlighted

@aussupport It won't ensure that Azure ATP has the maximum chance of catching a malicious behavior.

Although AD data is distributed between the DCs, Azure ATP also listen to network traffic for example for example, that is why having 100% coverage is crucial.

Highlighted
Best Response confirmed by aussupport (Contributor)
Solution

@aussupport it's the nature of the onPrem AD, the reason you have multiple DC's is to ensure HA? So what if a malicious login occurs against a DC that doesn't have the Sensor deployed?

That being said, even having the sensor's deployed to 10 - 20% of the DC's will give you some coverage, but the Question then is "are you catching all the bad stuff, or are you missing something vital?"

 

Hope that helps?

Dave C