Home
%3CLINGO-SUB%20id%3D%22lingo-sub-759523%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759523%22%20slang%3D%22en-US%22%3E%3CP%3EWhat's%20that%20BEHAVIORS%20column%20that%20you%20see%20in%20the%20top%20two%20images%3F%20I%20can't%20find%20that%20column%20in%20my%20Machine%20timeline.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-759607%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54698%22%20target%3D%22_blank%22%3E%40Joe%20Stern%3C%2FA%3E%26nbsp%3BLet%20me%20check.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-765036%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-765036%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20why%20the%20%22Network%20Protection%22%20feature%20is%20not%20an%20option%20under%20Advanced%20Features%20in%20my%20tenant%3F%26nbsp%3B%20%26nbsp%3BAlso%2C%20I%20see%20this%20error%20when%20I%20try%20to%20enter%20IOCs%20in%20the%20indicators%20rules%3A%26nbsp%3B%20%22%3CSPAN%3EBlocking%20IP%20addresses%2C%20domains%2C%20or%20URLs%20is%20not%20yet%20available%20for%20this%20tenant.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20wondering%20if%20the%20two%20problems%20are%20related.%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22wcd-flex-1%20relative%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-765082%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-765082%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379140%22%20target%3D%22_blank%22%3E%40North2AK%3C%2FA%3E%26nbsp%3Byou%20need%20to%20enable%20it%20per%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fenable-network-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fenable-network-protection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-765585%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-765585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379140%22%20target%3D%22_blank%22%3E%40North2AK%3C%2FA%3E%26nbsp%3B%2C%20the%20network%20blocking%20is%20in%20private%20preview.%20Once%20in%20public%20preview%2C%20you'll%20be%20able%20to%20try%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-765629%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-765629%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20thank%20you%20Dan.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758274%22%20slang%3D%22en-US%22%3EMDATP%20Monitoring%20network%20connection%20behind%20forward%20proxy%20-%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758274%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId-1989098489%22%20id%3D%22toc-hId-1989098489%22%3ESynopsis%3C%2FH1%3E%0A%3CP%3EMicrosoft%20Defender%20ATP%20supports%20network%20connection%20monitoring%20from%20different%20levels%20of%20the%20operating%20system%20network%20stack.%20A%20challenging%20case%20is%20when%20the%20network%20uses%20a%20forward%20proxy%20as%20a%20gateway%20to%20the%20internet.%20The%20proxy%20acts%20as%20if%20it%20was%20the%20target%20endpoint.%20In%20these%20cases%2C%20simple%20network%20connection%20monitors%20will%20audit%20the%20connections%20with%20the%20proxy%20which%20is%20correct%20but%20has%20lower%20investigation%20value.%20Microsoft%20Defender%20ATP%20supports%20advanced%20HTTP%20level%20sensor.%20By%20enabling%20this%20sensor%2C%20Microsoft%20Defender%20ATP%20will%20expose%20a%20new%20type%20of%20events%20that%20surfaces%20the%20real%20target%20domain%20names.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--563058472%22%20id%3D%22toc-hId--563058472%22%3EInvestigation%20Impact%3C%2FH1%3E%0A%3CH2%20id%3D%22toc-hId-983238358%22%20id%3D%22toc-hId-983238358%22%3EMachine%20timeline%3C%2FH2%3E%0A%3CP%3EBefore%20applying%20the%20feature%2C%20the%20machine%20timeline%20(filtered%20by%20Network%20events)%20only%20shows%20internal%20addresses%2C%20without%20the%20real%20target%20domain%20names.%20The%20proxy%20address%20will%20be%20there%20for%20any%20outbound%20traffic.%20See%20below%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123485i0F7C4A3D0F451133%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Proxy1.png%22%20title%3D%22Proxy1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20enabling%20Network%20Protection%2C%20the%20IP%20address%20will%20keep%20representing%20the%20proxy%20while%20the%20real%20target%20address%20will%20show%20up.%20See%20below%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123486i406A739408786CD0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Proxy2.png%22%20title%3D%22Proxy2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdditional%20events%20triggered%20by%20the%20Network%20Protection%20layer%20are%20now%20available%20to%20surface%20the%20real%20domain%20names%20even%20behind%20a%20proxy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvent%E2%80%99s%20info%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20588px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123487i1DA5A9CA8342F4CD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Proxy3.png%22%20title%3D%22Proxy3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1568918603%22%20id%3D%22toc-hId--1568918603%22%3EAdvanced%20Hunting%3C%2FH2%3E%0A%3CP%3EAll%20new%20connection%20events%20are%20also%20available%20for%20you%20to%20hunt%20on%20through%20Advanced%20Hunting%20tab.%20Since%20these%20events%20are%20connection%20events%2C%20you%20can%20find%20them%20under%20the%20NetworkCommunicationEvents%20table%20under%20the%20%E2%80%98ConnecionSuccess%E2%80%99%20action%20type.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20this%20simple%20query%20will%20show%20you%20all%20the%20relevant%20events%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENetworkCommunicationEvents%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%7C%20where%20ActionType%20%3D%3D%20%22ConnectionSuccess%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%7C%20take%2010%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20668px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123488i67F9A56A5A4CBE52%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Proxy4.jpg%22%20title%3D%22Proxy4.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20filter%20out%20the%20events%20that%20are%20related%20to%20connection%20to%20the%20proxy%20itself.%20Use%20the%20following%20query%20to%20filter%20out%20the%20connections%20to%20the%20proxy%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENetworkCommunicationEvents%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%7C%20where%20ActionType%20%3D%3D%20%22ConnectionSuccess%22%20and%20RemoteIP%20!%3D%20%22%3CPROXYIP%3E%22%26nbsp%3B%3C%2FPROXYIP%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%7C%20take%2010%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-370405237%22%20id%3D%22toc-hId-370405237%22%3EEnable%20the%20advanced%20network%20connection%20sensor%3C%2FH1%3E%0A%3CP%3EMonitoring%20network%20connection%20behind%20forward%20proxy%20is%20possible%20due%20to%20additional%20Network%20Events%20that%20originate%20from%20Network%20Protection.%20To%20see%20them%20in%20machine%E2%80%99s%20timeline%20you%20need%20to%20%3CU%3Eturn%20Network%20Protection%20on%20at%20least%20in%20audit%20mode.%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENetwork%20protection%20is%20a%20feature%20in%20Microsoft%20Defender%20ATP's%20attack%20surface%20reduction%20capabilities%20that%20protects%20employees%20using%20any%20app%20from%20accessing%20phishing%20scams%2C%20exploit-hosting%20sites%2C%20and%20malicious%20content%20on%20the%20Internet.%20This%20includes%20preventing%20third-party%20browsers%20from%20connecting%20to%20dangerous%20sites.%20%26nbsp%3BIts%20behavior%20can%20be%20controlled%20by%20the%20following%20options%3A%20Block%20and%20Audit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20turn%20this%20policy%20on%20in%20%22Block%22%20mode%2C%20users%2Fapps%20will%20be%20blocked%20from%20connecting%20to%20dangerous%20domains.%20You%20will%20be%20able%20to%20see%20this%20activity%20in%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20turn%20this%20policy%20on%20in%20%22Audit%22%20mode%2C%20users%2Fapps%20will%20not%20be%20blocked%20from%20connecting%20to%20dangerous%20domains.%20However%2C%20you%20will%20still%20see%20this%20activity%20in%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20turn%20this%20policy%20off%2C%20users%2Fapps%20will%20not%20be%20blocked%20from%20connecting%20to%20dangerous%20domains.%20You%20will%20not%20see%20any%20network%20activity%20in%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20do%20not%20configure%20this%20policy%2C%20network%20blocking%20will%20be%20disabled%20by%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20in%20order%20to%20enable%20Monitoring%20network%20connection%20behind%20forward%20proxy%20and%20see%20the%20domains%20you%20will%20need%20to%20enable%20network%20protection%20at%20least%20in%20audit%20mode.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20various%20methods%20to%20enable%20network%20protection%20documented%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-exploit-guard%2Fenable-network-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnable%20network%20protection%20(Intune%2C%20MDM%2C%20SCCM%2C%20Group%20policy%2C%20PowerShell)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdditional%20documentation%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fwindows%252Fclient-management%252Fmdm%252Fpolicy-csp-defender%2523defender-enablenetworkprotection%26amp%3Bdata%3D02%257C01%257Cdanmich%2540microsoft.com%257C35682ff501a74ec0f64c08d6e9116360%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636952658221072493%26amp%3Bsdata%3D7Qf0%252BsFJ4M0mZkqnGfgtak4VuaKTvWNIq5vCq87ITZk%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EApplying%20network%20protection%20with%20GP%20%E2%80%93%20policy%20CSP%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fwindows%252Fsecurity%252Fthreat-protection%252Fwindows-defender-exploit-guard%252Fwindows-defender-exploit-guard%26amp%3Bdata%3D02%257C01%257Cdanmich%2540microsoft.com%257C35682ff501a74ec0f64c08d6e9116360%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636952658221082488%26amp%3Bsdata%3DXWBYJVir%252BxRdmLQhU41imxL%252B%252BlbqhiLufewm%252BrjGAHQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Defender%20Exploit%20Guard%20Documentation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2113215572%22%20id%3D%22toc-hId-2113215572%22%3ENote%3A%3C%2FH1%3E%0A%3CP%3EURIs%20shown%20in%20timeline%20contain%20the%20protocol%20(HTTP%2FHTTPS).%20In%20the%20example%20above%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttp%253A%252F%252Fbing.com%26amp%3Bdata%3D02%257C01%257Cdanmich%2540microsoft.com%257C35682ff501a74ec0f64c08d6e9116360%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636952658221082488%26amp%3Bsdata%3DX5%252FOVHTFm9kIYu%252BMRNLhRXfLciJjGLufnKF2Lmou68I%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3Ehttp%3C%2FSTRONG%3E%3A%2F%2Fbing.com%3C%2FA%3E.%26nbsp%3B%20Behind%20a%20proxy%2C%20the%20MDATP%20sensor%20has%20visibility%20to%20CONNECT%20messages%20only%2C%20therefore%20there%20is%20no%20guarantee%20that%20the%20connection%20itself%20was%20in%20the%20same%20protocol%20you%20see%20in%20the%20URI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWe%20would%20love%20to%20get%20your%20feedback%20and%20answer%20your%20questions.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183190%22%20target%3D%22_blank%22%3E%40Dan%20Michelson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EKatya%20Goldenshlach%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3Ca%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15847%22%3E%40Alex%3C%2Fa%3E%26nbsp%3BSchuldberg%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-758274%22%20slang%3D%22en-US%22%3E%3CP%3EMDATP%20now%20reveals%20the%20real%20network%20connections%20even%20when%20running%20behind%20a%20proxy.%20With%20this%20public%20preview%20feature%2C%20analysts%20get%20visibility%20not%20only%20to%20the%20TCP%20connection%20but%20also%20to%20the%20HTTP%20connection.%20Not%20like%20TCP%2C%20HTTP%20layer%20monitoring%20uncovers%20the%20target%20domain%20names%20for%20your%20HTTP%20connections.%20Learn%20how%20to%20enable%20it%20for%20preview%20in%20your%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-758274%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Synopsis

Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names.

 

Investigation Impact

Machine timeline

Before applying the feature, the machine timeline (filtered by Network events) only shows internal addresses, without the real target domain names. The proxy address will be there for any outbound traffic. See below:Proxy1.png

 

After enabling Network Protection, the IP address will keep representing the proxy while the real target address will show up. See below:Proxy2.png

 

Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy.

 

Event’s info:

Proxy3.png

 

Advanced Hunting

All new connection events are also available for you to hunt on through Advanced Hunting tab. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.

 

Using this simple query will show you all the relevant events:

 

NetworkCommunicationEvents

| where ActionType == "ConnectionSuccess"

| take 10

Proxy4.jpg

You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:

 

NetworkCommunicationEvents

| where ActionType == "ConnectionSuccess" and RemoteIP != "<ProxyIP>" 

| take 10

 

 

Enable the advanced network connection sensor

Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode.

 

Network protection is a feature in Microsoft Defender ATP's attack surface reduction capabilities that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites.  Its behavior can be controlled by the following options: Block and Audit.

 

If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.

 

If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.

 

If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.

 

If you do not configure this policy, network blocking will be disabled by default.

 

Again, in order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.

 

The various methods to enable network protection documented here:

Enable network protection (Intune, MDM, SCCM, Group policy, PowerShell)

 

Additional documentation:

 

Note:

URIs shown in timeline contain the protocol (HTTP/HTTPS). In the example above: http://bing.com.  Behind a proxy, the MDATP sensor has visibility to CONNECT messages only, therefore there is no guarantee that the connection itself was in the same protocol you see in the URI.

 

We would love to get your feedback and answer your questions.

 

Thanks,

@Dan Michelson 

Katya Goldenshlach

@Alex Schuldberg

6 Comments
Occasional Contributor

What's that BEHAVIORS column that you see in the top two images? I can't find that column in my Machine timeline. 

Microsoft

@Joe Stern Let me check. 

Occasional Visitor

Does anyone know why the "Network Protection" feature is not an option under Advanced Features in my tenant?   Also, I see this error when I try to enter IOCs in the indicators rules:  "Blocking IP addresses, domains, or URLs is not yet available for this tenant."

 

I am wondering if the two problems are related.

 
New Contributor
Microsoft

@North2AK , the network blocking is in private preview. Once in public preview, you'll be able to try it. 

Occasional Visitor

Ok, thank you Dan.