deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add tip to point to investigate behind proxy topic

Browse Source
This commit is contained in:
Joey Caparas 2019-07-31 16:06:13 -07:00
parent 20ec41a98b
commit 93d2397efe
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: >[!TIP]
>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods: - Auto-discovery methods:
- Transparent proxy - Transparent proxy
@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Registry based configuration - Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) - WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy ## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.

5
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
View File

@ -44,7 +44,7 @@ If you turn network protection off, users or apps will not be blocked from conne
If you do not configure it, network blocking will be turned off by default. If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
## Investigation impact ## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up. When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
@ -54,12 +54,13 @@ When network protection is turned on, you'll see that on a machine's timeline th
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
Event's information: Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png) ![Image of single network event](images/atp-proxy-investigation-event.png)
## Hunt for connection events using advanced hunting ## Hunt for connection events using advanced hunting
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type. All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
Using this simple query will show you all the relevant events: Using this simple query will show you all the relevant events: