Oct 21 2020 12:20 PM
Greetings,
We use Azure Advanced Threat Protection outside of Azure Security Center. We view the information in a stand alone ATP area.
We have several forests but only want to protect one.
Does anyone know of a way to limit the scan to 1 forest?
Thanks,
Flynn
Oct 21 2020 05:01 PM
@FlynnKeilty If the forests do not have trust between them, and you only install sensors on the one you want to protect, it should work.
If you have trust, then it does not make sense to "protect just one" because you won't be if you "monitor just one". an attacker can easily attack from one of the other forests and you won't be able to see it.
Feb 23 2021 10:11 PM
Feb 24 2021 12:46 AM
@Nonsaho In this case you are both losing.
Once you have trust/connected networks, those are not really separated entities...
Attackers can move in between them freely,
If they can, they will use a machine from company A to attack company B , they won't care that those are 2 companies...
From MDI perspective/security perspective, it makes sense to protect both companies using a single MDI tenant.
If running like this, it will work, but you will lose detection for cross company attacks...
Feb 24 2021 12:59 AM
Feb 24 2021 01:03 AM
@Nonsaho
The reality is that the attacker won't care those are 2 separate legal entities, it might even be an advantage for the attacker...
But I understand that some customers will prefer to have limited security due to this situation and "dismiss" the alert for specific domains.
Adding @Or Tsemah from Product for this feedback.
Feb 24 2021 03:39 AM
The secure score control (using MDI data) will show any DCs (and soon AD FS servers) that *should* be monitored by the MDI sensor in order for the organization to be considered protected and gain the point, we are excluding discovered DCs where the domains has a 1-way external trust, as this means that no entities from the the other domain can cause issues ("they trust us but we do not trust them")
If this is not the case and you're willing to accept the risk, you can close that control or mark it as resolved through 3rd party.
With that said, we are evaluating how to provide more granular exclusion options but there is no ETA that i can currently share
Feb 24 2021 04:35 AM