08-14-2020 06:23 AM
08-15-2020 10:20 PM
@aussupport It won't ensure that Azure ATP has the maximum chance of catching a malicious behavior.
Although AD data is distributed between the DCs, Azure ATP also listen to network traffic for example for example, that is why having 100% coverage is crucial.
08-16-2020 05:29 PMSolution
@aussupport it's the nature of the onPrem AD, the reason you have multiple DC's is to ensure HA? So what if a malicious login occurs against a DC that doesn't have the Sensor deployed?
That being said, even having the sensor's deployed to 10 - 20% of the DC's will give you some coverage, but the Question then is "are you catching all the bad stuff, or are you missing something vital?"
Hope that helps?