Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names.
Before applying the feature, the machine timeline (filtered by Network events) only shows internal addresses, without the real target domain names. The proxy address will be there for any outbound traffic. See below:
After enabling Network Protection, the IP address will keep representing the proxy while the real target address will show up. See below:
Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy.
All new connection events are also available for you to hunt on through Advanced Hunting tab. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.
Using this simple query will show you all the relevant events:
| where ActionType == "ConnectionSuccess"
| take 10
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
| where ActionType == "ConnectionSuccess" and RemoteIP != "<ProxyIP>"
| take 10
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode.
Network protection is a feature in Microsoft Defender ATP's attack surface reduction capabilities that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit.
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
If you do not configure this policy, network blocking will be disabled by default.
Again, in order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
The various methods to enable network protection documented here:
URIs shown in timeline contain the protocol (HTTP/HTTPS). In the example above: http://bing.com. Behind a proxy, the MDATP sensor has visibility to CONNECT messages only, therefore there is no guarantee that the connection itself was in the same protocol you see in the URI.
We would love to get your feedback and answer your questions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.