Applies to: Azure Advanced Threat Protection

Azure ATP capacity planning

This article helps you determine how many Azure ATP sensors and standalone sensors you need.

Using the sizing tool

The recommended and simplest way to determine capacity for your Azure ATP deployment is to use the Azure ATP Sizing Tool. Run the Azure ATP Sizing Tool and from the Excel file results, use the following fields to determine the memory and CPU that used by the sensor:


The sizing tool has two sheets - one for Azure ATP and one for ATA. Make sure you use the correct sheet.

Sample capacity planning tool

If for some reason you cannot use the Azure ATP Sizing Tool, manually gather the packet/sec counter information from all your domain controllers for 24 hours with a low collection interval (approximately 5 seconds). Then, for each domain controller, you must calculate the daily average and the busiest period (15 minutes) average. The following sections present the instruction for how to collect the packets/sec counter from one domain controller.

Choosing the right sensor type for your deployment

In an Azure ATP deployment any combination of the Azure ATP sensor types is supported:

  • Only Azure ATP sensors
  • Only Azure ATP standalone sensors
  • A combination of both

When deciding the sensor deployment type, consider the following benefits:

Sensor type Benefits Cost Deployment topology Domain controller use
Azure ATP sensor Doesn't require a dedicated server and port-mirroring configuration Lower Installed on the domain controller Supports up to 100,000 packets per second
Azure ATP standalone sensor The Out of band deployment makes it harder for attackers to discover Azure ATP is present Higher Installed alongside the domain controller (out of band) Supports up to 100,000 packets per second

Consider the following issues when deciding how many Azure ATP standalone sensors to deploy.

  • Active Directory forests and domains
    Azure ATP can monitor traffic from multiple domains within multiple Active Directory forests for each instance you create.

  • Port Mirroring
    Port mirroring considerations might require you to deploy multiple Azure ATP standalone sensors per data center or branch site.

  • Capacity
    An Azure ATP standalone sensor can support monitoring multiple domain controllers, depending on the amount of network traffic of the domain controllers being monitored.

Azure ATP sensor and standalone sensor sizing

An Azure ATP sensor can support the monitoring of one domain controller based on the amount of network traffic the domain controller generates. The following table is an estimate, the final amount that the sensor parses is dependent on the amount of traffic and the distribution of traffic.


The following CPU and memory capacity refers to the sensor's own consumption – not the domain controller capacity.

Packets per second* CPU (cores) Memory (GB)
0-1k 0.25 2.50
1k-5k 0.75 6.00
5k-10k 1.00 6.50
10k-20k 2.00 9.00
20k-50k 3.50 9.50
50k-75k 3.50 9.50
75k-100k 3.50 9.50


  • Total number of cores that the sensor service will use.
    It is recommended that you don't work with hyper-threaded cores.
  • Total amount of memory that the sensor service will use.
  • If the domain controller does not have the resources required by the Azure ATP sensor, domain controller performance is not affected, but the Azure ATP sensor might not operate as expected.
  • When running as a virtual machine dynamic memory or any other memory ballooning feature is not supported.
  • For optimal performance, set the Power Option of the Azure ATP sensor to High Performance.
  • A minimum of 2 cores and 6 GB of space is required and 10 GB is recommended, including space needed for the Azure ATP binaries and logs.

Domain controller traffic estimation

There are various tools that you can use to discover the average packets per second of your domain controllers. If you do not have any tools that track this counter, you can use Performance Monitor to gather the required information.

To determine packets per second, perform the following steps on each domain controller:

  1. Open Performance Monitor.

    Performance monitor image

  2. Expand Data Collector Sets.

    Data collector sets image

  3. Right click User Defined and select New > Data Collector Set.

    New data collector set image

  4. Enter a name for the collector set and select Create Manually (Advanced).

  5. Under What type of data do you want to include? select Create data logs, and Performance counter.

    Type of data for new data collector set image

  6. Under Which performance counters would you like to log, click Add.

  7. Expand Network Adapter and select Packets/sec and select the proper instance. If you are not sure, you can select <All instances> and click Add and OK.


    To perform this operation in a command line, run ipconfig /all to see the name of the adapter and configuration.

    Add performance counters image

  8. Change the Sample interval to five seconds.

  9. Set the location where you want the data to be saved.

  10. Under Create the data collector set, select Start this data collector set now, and click Finish.

    You should now see the data collector set you created with a green triangle indicating that it is working.

  11. After 24 hours, stop the data collector set, by right-clicking the data collector set and selecting Stop.

    Stop data collector set image

  12. In File Explorer, browse to the folder where the .blg file was saved and double-click it to open it in Performance Monitor.

  13. Select the Packets/sec counter, and record the average and maximum values.

    Packets per second counter image

See Also