Forum Discussion

jbchris's avatar
jbchris
Copper Contributor
Jul 31, 2019

Installing sensors across several data centers: Standalone vs. ATP Sensor

In order to get full coverage of a large enterprise, besides installing on all DC's, should we install standalone sensors also? My thinking is that it is a good idea to have both types of sensors installed. 

 

Just got out of a design meeting where it was discussed that its either one or the other, not both. Any clarity on the subject would be helpful

 

Thanks 

8 Replies

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jul 31, 2019

    Sensor duplication (monitoring a DC with more than one sensor) is not supported.

    For best experience, use the integrated sensor, as it provide the complete set of detections AATP offers.

    Standalone sensors provide only partial detection.

    • jbchris's avatar
      jbchris
      Copper Contributor
      Jul 31, 2019

      EliOfek 

       

      So if I understand you correctly, ATP Sensors are installed on all DC's and send alerts to ATP Cloud service. All other non-domain controllers are set up to send traffic to the standalone sensor and then the standalone sensor sends traffic to ATP. 

       

      Is this correct?

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Jul 31, 2019

        jbchris , pretty much, the sensor collects data we think is relative for detection and send it to Azure.

        in standalone, you need to mirror traffic and forward windows events, but there are stuff you can't forward like ETW events. so the integrated sensor is far better is possible.

Resources