SOLVED

Can we use Azure Monitor Gateway Server in place of Standalone Sensor Server in Azure ATP Deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-1504305%22%20slang%3D%22en-US%22%3ECan%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504305%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Folks%2C%3C%2FP%3E%3CP%3EI%20need%20to%20know%20whether%20we%20can%20replace%20the%20Azure%20ATP%20Standalone%20Sensor%20Server%20with%20Azure%20Monitor%20-%20Log%20Analytics%20Gateway%20Server%20so%20we%20can%20connect%20Domain%20Controllers%20into%20the%20gateway%20without%20port-mirroring.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%2C%20we%20need%20to%20know%20a%20deployment%20scenario%20without%20port-mirroring.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20confrm..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504537%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504537%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F240663%22%20target%3D%22_blank%22%3E%40Rizmi%20Razik%3C%2FA%3E%26nbsp%3BNo%2C%20Azure%20Monitor%20cannot%20be%20used%20instead%20of%20the%20AATP%20Sensor.%3C%2FP%3E%0A%3CP%3EThe%20normal%20usage%20of%20the%20sensor%20is%20integrated%20(installed%20on%20the%20DC%20itself)%20and%20does%20not%20require%26nbsp%3B%20port%20mirroring%2C%20and%20even%20supports%20more%20detections.%3C%2FP%3E%0A%3CP%3EToday%20about%2096%25%20of%20sensor%20deployments%20are%20integrated...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504613%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504613%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%20But%2C%20in%20my%20scenario%20I%20have%20to%20avoid%20sensor%20integration%20to%20DCs%20directly%20and%20implement%20AATP%20standalone%20sensor%20in%20which%20there%20is%20a%20dedicated%20server%20installation.%20I%20wanted%20to%20whether%20whether%20we%20can%20replace%20this%20server%20and%20bring%20Log%20Analytics%20Gateway%20Server%20so%20that%20DCs%20can%20be%20directed%20to%20this%20and%20there%20by%20to%20Azure%20ATP%20workspace%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%2C%20we%20need%20to%20see%20the%20possibility%20without%20port%20mirroring%20since%20our%20hardware%20(both%20servers%2C%20switches%20need%20to%20be%20restructured%20with%20additional%20equipment%20for%20making%20ready%20to%20uncover%20port%20mirroring).%20So%2C%20anything%20possible%20without%20port-mirroring%2C%20will%20be%20appreciated.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERizmi%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504632%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504632%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F240663%22%20target%3D%22_blank%22%3E%40Rizmi%20Razik%3C%2FA%3E%26nbsp%3BNo%2C%20those%20are%20different%20products%20collecting%20different%20information.%3C%2FP%3E%0A%3CP%3EYou%20can%20either%20use%20the%20standalone%20version%20with%20port%20mirroring%20(and%20also%20losing%20some%20detection%20this%20way)%2C%20or%20use%20the%20integrated%20option%20which%20gives%20you%20the%20full%20suite%20of%20detection.%3C%2FP%3E%0A%3CP%3EIf%20none%20of%20these%20is%20a%20valid%26nbsp%3B%20option%2C%20then%20AATP%20won't%20work....%3CBR%20%2F%3E%3CBR%20%2F%3EWhy%20do%20you%20have%20to%20avoid%20installing%20the%20sensor%20directly%20on%20the%20DC%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1515911%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1515911%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20planning%20to%20implement%20this%26nbsp%3B%20environment%20inside%20an%20ESXi%20host.%20I%20have%20attached%20preliminary%20diagram%20for%20your%20reference.%20Please%20verify%20whether%20ATA%20Gateway%20support%20mirror%20data%20coming%20from%20multiple%20network%20ports.%20(E.g.%20ATA%20Gatway%20will%20have%20three%20network%20ports%20and%20one%20will%20be%20used%20to%20communicate%20with%20external%20network%20and%20two%20for%20mirror%20data).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHence%2C%20please%20clarify%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1516568%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20use%20Azure%20Monitor%20Gateway%20Server%20in%20place%20of%20Standalone%20Sensor%20Server%20in%20Azure%20ATP%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F240663%22%20target%3D%22_blank%22%3E%40Rizmi%20Razik%3C%2FA%3E%26nbsp%3BDid%20we%20switch%20from%20talking%20about%20AATP%20to%20ATA%20%3F%3C%2FP%3E%0A%3CP%3EAnyway%2C%20the%20standalone%20Sensor%20and%20Gateway%20can%20get%20mirrored%20traffic%20from%20several%20DCs%20at%20the%20same%20time%2C%20as%20long%20as%20each%20DC%20will%20be%20mirrored%20to%20a%20single%20port%2C%20you%20can%20split%20the%20data%20to%20multiple%20ports.%3C%2FP%3E%0A%3CP%3EI%20can't%20comment%20on%20the%20diagram%20feasibility%20as%20I%20am%20not%20a%20networking%20engineer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20a%20few%20comments%3A%3C%2FP%3E%0A%3CP%3E-%20When%20using%20AATP%20standalone%20sensor%2C%20take%20into%20account%20you%20are%20losing%20a%20considerable%20amount%20of%20detection%20possibilities.%3C%2FP%3E%0A%3CP%3E-%20If%20you%20are%20really%20going%20to%20deploy%20a%20new%20ATA%20environment%2C%20keep%20in%20mind%20that%20ATA%20is%20switching%20to%20extended%20support%20on%20Jan%202021...%20AATP%20is%20a%20much%20better%20choice.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi Folks,

I need to know whether we can replace the Azure ATP Standalone Sensor Server with Azure Monitor - Log Analytics Gateway Server so we can connect Domain Controllers into the gateway without port-mirroring.

 

Because, we need to know a deployment scenario without port-mirroring. 

 

Please confrm..

5 Replies
Best Response confirmed by Rizmi Razik (New Contributor)
Solution

@Rizmi Razik No, Azure Monitor cannot be used instead of the AATP Sensor.

The normal usage of the sensor is integrated (installed on the DC itself) and does not require  port mirroring, and even supports more detections.

Today about 96% of sensor deployments are integrated...

Highlighted

Hi Eli,

 

Thanks for the reply. But, in my scenario I have to avoid sensor integration to DCs directly and implement AATP standalone sensor in which there is a dedicated server installation. I wanted to whether whether we can replace this server and bring Log Analytics Gateway Server so that DCs can be directed to this and there by to Azure ATP workspace?

 

Because, we need to see the possibility without port mirroring since our hardware (both servers, switches need to be restructured with additional equipment for making ready to uncover port mirroring). So, anything possible without port-mirroring, will be appreciated. 

 

BR.

 

Rizmi

Highlighted

@Rizmi Razik No, those are different products collecting different information.

You can either use the standalone version with port mirroring (and also losing some detection this way), or use the integrated option which gives you the full suite of detection.

If none of these is a valid  option, then AATP won't work....

Why do you have to avoid installing the sensor directly on the DC ?

Highlighted

I am planning to implement this  environment inside an ESXi host. I have attached preliminary diagram for your reference. Please verify whether ATA Gateway support mirror data coming from multiple network ports. (E.g. ATA Gatway will have three network ports and one will be used to communicate with external network and two for mirror data).

 

Hence, please clarify this.

Highlighted

@Rizmi Razik Did we switch from talking about AATP to ATA ?

Anyway, the standalone Sensor and Gateway can get mirrored traffic from several DCs at the same time, as long as each DC will be mirrored to a single port, you can split the data to multiple ports.

I can't comment on the diagram feasibility as I am not a networking engineer.

 

Just a few comments:

- When using AATP standalone sensor, take into account you are losing a considerable amount of detection possibilities.

- If you are really going to deploy a new ATA environment, keep in mind that ATA is switching to extended support on Jan 2021... AATP is a much better choice.