Forum Discussion
Installing sensors across several data centers: Standalone vs. ATP Sensor
MicrosoftSensor duplication (monitoring a DC with more than one sensor) is not supported.
For best experience, use the integrated sensor, as it provide the complete set of detections AATP offers.
Standalone sensors provide only partial detection.
So if I understand you correctly, ATP Sensors are installed on all DC's and send alerts to ATP Cloud service. All other non-domain controllers are set up to send traffic to the standalone sensor and then the standalone sensor sends traffic to ATP.
Is this correct?
- EliOfek
jbchris , pretty much, the sensor collects data we think is relative for detection and send it to Azure.
in standalone, you need to mirror traffic and forward windows events, but there are stuff you can't forward like ETW events. so the integrated sensor is far better is possible.
EliOfek Is there an overview of what kind of use cases cannot be covered when using the Standalone Sensor? As of security related issues, we tend to proceed with the standalone sensors, thus the question.
- EliOfek
CurlX if you look at this alert list:
going into each one, you might see a note which contains "supported by ATP sensors only." that means using a standalone won't have this detection.
The integrated sensor is by far more advance, as of today, less than 4% of covered DCs are protected with standalone sensors, and this number keeps dropping.
What is the mentioned security issue which tends you to using the standalone version which provides less detections and also much more expensive (dedicated hardware, port mirroring, event forwarding) ?
