deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add new topic

Browse Source
This commit is contained in:
Joey Caparas 2019-07-30 15:09:58 -07:00
parent 9108ced1bc
commit 918b6bb5da
4 changed files with 96 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/TOC.md
View File

@ -52,6 +52,7 @@
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()

50
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -175,56 +175,6 @@ However, if the connectivity check results indicate a failure, an HTTP error is
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Conduct investigations with Microsoft Defender ATP behind a proxy
Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
**Investigation Impact**<br>
In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)<br>
Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)<br>
**Advanced Hunting**<br>
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.<br>
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
**How to enable the advanced network connection sensor**<br>
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machines timeline you need to turn Network Protection on at least in audit mode. <br>
Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br>
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
If you do not configure this policy, network blocking will be disabled by default. <br><br>
> [!NOTE]
> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
Additional documentation:
- [Applying network protection with GP policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

87
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Investigate connection events that occur behind forward proxies
description: Investigate connection events that occur behind forward proxies
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate connection events that occur behind forward proxies
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
## Use network protection to monitor network connection behind a firewall
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode).
Network protection can be controlled using the following modes:
- **Block** <br> Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
- **Audit** <br> Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection)
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)
## Hunt for connection events using advanced hunting
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
## Related topics
- [Applying network protection with GP policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

12
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -36,13 +36,15 @@ You can enable network protection by using any of these methods:
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
2. Click **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
![Enable network protection in Intune](images/enable-np-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
5. Click **OK** to save each open blade and click **Create**.
6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM