Forum Discussion
Installing sensors across several data centers: Standalone vs. ATP Sensor
So if I understand you correctly, ATP Sensors are installed on all DC's and send alerts to ATP Cloud service. All other non-domain controllers are set up to send traffic to the standalone sensor and then the standalone sensor sends traffic to ATP.
Is this correct?
Microsoftjbchris , pretty much, the sensor collects data we think is relative for detection and send it to Azure.
in standalone, you need to mirror traffic and forward windows events, but there are stuff you can't forward like ETW events. so the integrated sensor is far better is possible.
EliOfek Is there an overview of what kind of use cases cannot be covered when using the Standalone Sensor? As of security related issues, we tend to proceed with the standalone sensors, thus the question.
- EliOfek
CurlX if you look at this alert list:
going into each one, you might see a note which contains "supported by ATP sensors only." that means using a standalone won't have this detection.
The integrated sensor is by far more advance, as of today, less than 4% of covered DCs are protected with standalone sensors, and this number keeps dropping.
What is the mentioned security issue which tends you to using the standalone version which provides less detections and also much more expensive (dedicated hardware, port mirroring, event forwarding) ?
- Thank you for your feedback. Our Operations Team is strongly against the idea installing an agent on the DC because of these reasons:- The DC should not have direct internet connection (not even with a proxy in between) as of hardening reasons.- The agent load on the DC is also an issueI am sure, we are not the only ones with these concerns, do you have any solutions to that?In order to proceed, I am checking out the possibilities we have with the Standalone Sensor, trying to understand the limitations and difficulties we could face. Also if the traffic to be mirrored can be limited to certain ports/protocols. I might open a new "Question" in this respect.
