Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Both Domain controller agents and Stand alone sensors utilized

Copper Contributor

If both Domain Controller agents and stand-alone collectors in the same domain space are being used, and they are both configured to communicate with ATP Cloud service, is there any reason to forward events to the collector?  Is the audit policy still required? 

 

Example:

In the contoso domain, sensor agents will be installed on all Domain Controllers. In addition, a stand-alone server, (a network tap will be used) is installed and configured to send events to the cloud service. Both DC's and stand-alone will communicate with the ATP cloud service. 

 

Thanks for your feedback and insights

 

 

5 Replies

@jbchris for scenarios where the sensor is installed on the DC itself, you don't need to forward events as it will read them locally. for stand alone machines, you need to forward the events the standalone sensor is monitoring via port mirroring.

 

For both proper policies should be set for the interesting events to actually be created, or else there won't be a complete set of data to read.

@Eli Ofek 

Thank you for the info but I am not sure I explained myself clearly.

 

Both stand-alone and DC's agents will be used in the same domain and both will be sending events to the cloud service. If the domain controllers are already sending event log information to ATP Cloud Service, do the events ALSO need to be forwarded to the standalone? 

 

The client is connecting the stand-alone servers to a network tap to ensure coverage but essentially, I will end up having both stand-alone servers and DC's sending data to the cloud service.

 

Thanks 

best response confirmed by jbchris (Copper Contributor)
Solution

@jbchris , those events are per DC, not per domain, so each  sensor needs to send the events for the DC it is monitoring. for a case where the sensor is installed on the DC, it can read the data on its own.

If the DC is monitored via a standalone sensor on a separate machine, you need to forwards events from this DC to the standalone machine that monitors it.

 

BTW, why use standalone? for best detection use a sensor on the DC whenever possible.

a standalone sensor can detect less attacks because it is exposed to less data.

@Eli Ofek 

Thank you. 

 

That is my thinking also. However, the client has several DC's that are either being decommissioned over the next year or are lacking resources and feel that adding a stand-alone server will increase coverage. 

 

So if I understand you correctly only the DC's without the agent installed, should forward events to the stand-alone. Otherwise, the DC's will read the event automatically and process accordingly. The stand-alone will collect events from the other DC's with the agent and send events to the ATP cloud. 

 

I really appreciate your feedback.  

@jbchris  Correct, just note that the standalone cannot collect events remotely on its own, you need to forward the events to it so it can read them.

1 best response

Accepted Solutions
best response confirmed by jbchris (Copper Contributor)
Solution

@jbchris , those events are per DC, not per domain, so each  sensor needs to send the events for the DC it is monitoring. for a case where the sensor is installed on the DC, it can read the data on its own.

If the DC is monitored via a standalone sensor on a separate machine, you need to forwards events from this DC to the standalone machine that monitors it.

 

BTW, why use standalone? for best detection use a sensor on the DC whenever possible.

a standalone sensor can detect less attacks because it is exposed to less data.

View solution in original post