Threat Manager™ requires the Alert Logic® appliance (physical or virtual) in every deployment in which we engage. The Alert Logic agent is required in public and private cloud environments on any host that should be protected. The agent may be used optionally in traditional environments if desired.
Appliances will receive traffic from the Alert Logic agent, which when installed on a protected host will capture the traffic that hits the host's network interface and forwards that traffic to the appliance.
When not using the agent, appliances may receive traffic from network SPANs (port mirroring) or network taps. With network SPAN, customers will need to configure their network switches to forward a copy of the traffic they wish to monitor to a monitoring port on the Alert Logic appliance.
Network taps are less common but are used in some deployments. Taps are reliable tools to get data off of the network to a monitoring appliance and would be used if a customer is resistant to tasking their switch fabric with mirroring traffic. Alert Logic will recommend a network tap vendor for customers to contact when they wish to use this option.