Nov 05 2019 01:56 PM
If both Domain Controller agents and stand-alone collectors in the same domain space are being used, and they are both configured to communicate with ATP Cloud service, is there any reason to forward events to the collector? Is the audit policy still required?
Example:
In the contoso domain, sensor agents will be installed on all Domain Controllers. In addition, a stand-alone server, (a network tap will be used) is installed and configured to send events to the cloud service. Both DC's and stand-alone will communicate with the ATP cloud service.
Thanks for your feedback and insights
Nov 05 2019 02:43 PM
@jbchris for scenarios where the sensor is installed on the DC itself, you don't need to forward events as it will read them locally. for stand alone machines, you need to forward the events the standalone sensor is monitoring via port mirroring.
For both proper policies should be set for the interesting events to actually be created, or else there won't be a complete set of data to read.
Nov 06 2019 05:53 AM
Thank you for the info but I am not sure I explained myself clearly.
Both stand-alone and DC's agents will be used in the same domain and both will be sending events to the cloud service. If the domain controllers are already sending event log information to ATP Cloud Service, do the events ALSO need to be forwarded to the standalone?
The client is connecting the stand-alone servers to a network tap to ensure coverage but essentially, I will end up having both stand-alone servers and DC's sending data to the cloud service.
Thanks
Nov 06 2019 05:57 AM
Solution@jbchris , those events are per DC, not per domain, so each sensor needs to send the events for the DC it is monitoring. for a case where the sensor is installed on the DC, it can read the data on its own.
If the DC is monitored via a standalone sensor on a separate machine, you need to forwards events from this DC to the standalone machine that monitors it.
BTW, why use standalone? for best detection use a sensor on the DC whenever possible.
a standalone sensor can detect less attacks because it is exposed to less data.
Nov 06 2019 06:10 AM
Thank you.
That is my thinking also. However, the client has several DC's that are either being decommissioned over the next year or are lacking resources and feel that adding a stand-alone server will increase coverage.
So if I understand you correctly only the DC's without the agent installed, should forward events to the stand-alone. Otherwise, the DC's will read the event automatically and process accordingly. The stand-alone will collect events from the other DC's with the agent and send events to the ATP cloud.
I really appreciate your feedback.
Nov 06 2019 06:19 AM
@jbchris Correct, just note that the standalone cannot collect events remotely on its own, you need to forward the events to it so it can read them.
Nov 06 2019 05:57 AM
Solution@jbchris , those events are per DC, not per domain, so each sensor needs to send the events for the DC it is monitoring. for a case where the sensor is installed on the DC, it can read the data on its own.
If the DC is monitored via a standalone sensor on a separate machine, you need to forwards events from this DC to the standalone machine that monitors it.
BTW, why use standalone? for best detection use a sensor on the DC whenever possible.
a standalone sensor can detect less attacks because it is exposed to less data.