From 93d2397efeb94f453470a650b8749ededdd7d607 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 31 Jul 2019 16:06:13 -0700 Subject: [PATCH] add tip to point to investigate behind proxy topic --- .../microsoft-defender-atp/configure-proxy-internet.md | 7 ++++++- .../microsoft-defender-atp/investigate-behind-proxy.md | 5 +++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 56964f4846..dba3eaf576 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. -The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: +>[!TIP] +>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md). + +The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - Auto-discovery methods: - Transparent proxy @@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Registry based configuration - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) + + ## Configure the proxy server manually using a registry-based static proxy Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index c8358793ea..18d267c4cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -44,7 +44,7 @@ If you turn network protection off, users or apps will not be blocked from conne If you do not configure it, network blocking will be turned off by default. -For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) +For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection). ## Investigation impact When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up. @@ -54,12 +54,13 @@ When network protection is turned on, you'll see that on a machine's timeline th Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. Event's information: + ![Image of single network event](images/atp-proxy-investigation-event.png) ## Hunt for connection events using advanced hunting -All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type. +All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type. Using this simple query will show you all the relevant events: