mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
huypub
GitHub
commit
1278c09ffa
@ -52,6 +52,7 @@
|
||||
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
|
||||
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
|
||||
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
|
||||
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
|
||||
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
|
||||
|
||||
#### [Machines list]()
|
||||
|
||||
@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r
|
||||
|
||||
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
|
||||
|
||||
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
|
||||
>[!TIP]
|
||||
>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
|
||||
|
||||
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
|
||||
|
||||
- Auto-discovery methods:
|
||||
- Transparent proxy
|
||||
@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
|
||||
- Registry based configuration
|
||||
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
|
||||
|
||||
|
||||
|
||||
## Configure the proxy server manually using a registry-based static proxy
|
||||
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
|
||||
|
||||
@ -175,56 +180,6 @@ However, if the connectivity check results indicate a failure, an HTTP error is
|
||||
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
|
||||
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
|
||||
|
||||
## Conduct investigations with Microsoft Defender ATP behind a proxy
|
||||
Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
|
||||
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
|
||||
By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
|
||||
|
||||
**Investigation Impact**<br>
|
||||
In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
|
||||
<br>
|
||||
|
||||
Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
|
||||
Event's information:
|
||||
<br>
|
||||
|
||||
**Advanced Hunting**<br>
|
||||
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.<br>
|
||||
Using this simple query will show you all the relevant events:
|
||||
|
||||
```
|
||||
NetworkCommunicationEvents
|
||||
| where ActionType == "ConnectionSuccess"
|
||||
| take 10
|
||||
```
|
||||
|
||||
|
||||
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
|
||||
```
|
||||
NetworkCommunicationEvents
|
||||
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
|
||||
| take 10
|
||||
```
|
||||
|
||||
**How to enable the advanced network connection sensor**<br>
|
||||
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode. <br>
|
||||
|
||||
Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br>
|
||||
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
|
||||
|
||||
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
|
||||
|
||||
If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
|
||||
|
||||
If you do not configure this policy, network blocking will be disabled by default. <br><br>
|
||||
|
||||
> [!NOTE]
|
||||
> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
|
||||
|
||||
Additional documentation:
|
||||
- [Applying network protection with GP – policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
|
||||
- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines](configure-endpoints.md)
|
||||
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
|
||||
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 125 KiB After Width: | Height: | Size: 138 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 64 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 70 KiB |
@ -0,0 +1,89 @@
|
||||
---
|
||||
title: Investigate connection events that occur behind forward proxies
|
||||
description: Investigate connection events that occur behind forward proxies
|
||||
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Investigate connection events that occur behind forward proxies
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
|
||||
|
||||
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
|
||||
|
||||
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
|
||||
|
||||
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
|
||||
|
||||
## Use network protection to monitor network connection behind a firewall
|
||||
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode).
|
||||
|
||||
Network protection can be controlled using the following modes:
|
||||
|
||||
- **Block** <br> Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
|
||||
- **Audit** <br> Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
|
||||
|
||||
|
||||
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
|
||||
|
||||
If you do not configure it, network blocking will be turned off by default.
|
||||
|
||||
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
|
||||
|
||||
## Investigation impact
|
||||
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
|
||||
|
||||
|
||||
|
||||
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
|
||||
|
||||
Event's information:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Hunt for connection events using advanced hunting
|
||||
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
|
||||
|
||||
Using this simple query will show you all the relevant events:
|
||||
|
||||
```
|
||||
NetworkCommunicationEvents
|
||||
| where ActionType == "ConnectionSuccess"
|
||||
| take 10
|
||||
```
|
||||
|
||||
|
||||
|
||||
You can also filter out events that are related to connection to the proxy itself.
|
||||
|
||||
Use the following query to filter out the connections to the proxy:
|
||||
|
||||
```
|
||||
NetworkCommunicationEvents
|
||||
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
|
||||
| take 10
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
|
||||
- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
|
||||
@ -11,8 +11,8 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.date: 05/13/2019
|
||||
ms.reviewer:
|
||||
audience: ITPro
|
||||
manager: dansimp
|
||||
---
|
||||
|
||||
@ -36,13 +36,15 @@ You can enable network protection by using any of these methods:
|
||||
## Intune
|
||||
|
||||
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
||||
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||
2. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||
|
||||
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
|
||||
4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
|
||||
|
||||
|
||||
1. Click **OK** to save each open blade and click **Create**.
|
||||
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
||||
|
||||
5. Click **OK** to save each open blade and click **Create**.
|
||||
6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
||||
|
||||
## MDM
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user