Oct 18 2018 02:02 PM
On a small 40 user network is one sensor on a DC sufficient or should the sensor be installed on multiple domain controllers?
View best response
Oct 18 2018 02:07 PM
It's not a matter of load for that matter, it's a matter of coverage.
If you have only one DC in the network that works, then you need to deploy only to it.
if you have many DCs, all of them should be deployed with a sensor to get good coverage.
Oct 19 2018 06:35 AM
Hi Eric,
No matter how many users you've, it matters how many DC's you've because of Azure ATP sensor reads events locally, so every DC server needs a sensor.
Azure ATP Architecture https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-architecture
Eli.
