I know that when you first deploy AATP, there is a 30 day monitoring window for the service to monitor/learn logons and activities so that it can accurately report on security risks.
Does this same window apply when you install a new sensor onto a brand new Domain Controller into an existing environment?
We are looking at building a couple DC's in Azure, and since logon event information is not shared by DC's, it would make sense that AATP would need to learn the activities on the new DC's, but with the miracle of machine learning, that may not be required.