Forum Discussion

Copper Contributor

Jul 31, 2019

Installing sensors across several data centers: Standalone vs. ATP Sensor

In order to get full coverage of a large enterprise, besides installing on all DC's, should we install standalone sensors also? My thinking is that it is a good idea to have both types of sensors ins...

EliOfek

Microsoft

Jul 31, 2019

Sensor duplication (monitoring a DC with more than one sensor) is not supported.

For best experience, use the integrated sensor, as it provide the complete set of detections AATP offers.

Standalone sensors provide only partial detection.

jbchris
Copper Contributor
Jul 31, 2019
EliOfek

So if I understand you correctly, ATP Sensors are installed on all DC's and send alerts to ATP Cloud service. All other non-domain controllers are set up to send traffic to the standalone sensor and then the standalone sensor sends traffic to ATP.

Is this correct?
- EliOfek
  Microsoft
  Jul 31, 2019
  jbchris , pretty much, the sensor collects data we think is relative for detection and send it to Azure.
  
  in standalone, you need to mirror traffic and forward windows events, but there are stuff you can't forward like ETW events. so the integrated sensor is far better is possible.
  - CurlX
    Copper Contributor
    Jun 11, 2020
    EliOfek Is there an overview of what kind of use cases cannot be covered when using the Standalone Sensor? As of security related issues, we tend to proceed with the standalone sensors, thus the question.