MDATP Monitoring network connection behind forward proxy - Public Preview

Published Jul 16 2019 09:50 PM 11.7K Views


Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names.


Investigation Impact

Machine timeline

Before applying the feature, the machine timeline (filtered by Network events) only shows internal addresses, without the real target domain names. The proxy address will be there for any outbound traffic. See below:Proxy1.png


After enabling Network Protection, the IP address will keep representing the proxy while the real target address will show up. See below:Proxy2.png


Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy.


Event’s info:



Advanced Hunting

All new connection events are also available for you to hunt on through Advanced Hunting tab. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.


Using this simple query will show you all the relevant events:



| where ActionType == "ConnectionSuccess"

| take 10


You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:



| where ActionType == "ConnectionSuccess" and RemoteIP != "<ProxyIP>" 

| take 10



Enable the advanced network connection sensor

Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode.


Network protection is a feature in Microsoft Defender ATP's attack surface reduction capabilities that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites.  Its behavior can be controlled by the following options: Block and Audit.


If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.


If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.


If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.


If you do not configure this policy, network blocking will be disabled by default.


Again, in order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.


The various methods to enable network protection documented here:

Enable network protection (Intune, MDM, SCCM, Group policy, PowerShell)


Additional documentation:



URIs shown in timeline contain the protocol (HTTP/HTTPS). In the example above:  Behind a proxy, the MDATP sensor has visibility to CONNECT messages only, therefore there is no guarantee that the connection itself was in the same protocol you see in the URI.


We would love to get your feedback and answer your questions.



@Dan Michelson 

Katya Goldenshlach

@Alex Schuldberg

Occasional Contributor

What's that BEHAVIORS column that you see in the top two images? I can't find that column in my Machine timeline. 


@Joe Stern Let me check. 


Does anyone know why the "Network Protection" feature is not an option under Advanced Features in my tenant?   Also, I see this error when I try to enter IOCs in the indicators rules:  "Blocking IP addresses, domains, or URLs is not yet available for this tenant."


I am wondering if the two problems are related.

New Contributor

@North2AK , the network blocking is in private preview. Once in public preview, you'll be able to try it. 


Ok, thank you Dan.


Thanks @Sergg ,


The feature is in production. Would love to hear your feedback.

Thanks for your comment about the broken link.




@Efrat Kliger 


@Dan Michelson  Support for proxy sessions is always welcome. Especially in the last few years, I have a feeling,  industry seeing the second coming of proxy-based security and filtering products (back from the grave). Not strictly on the subject, but I was really impressed when some NG firewall was able to transparently unwrap and report on proxy traffic destined to TCP/8080 and be able to show it in the firewall logs with unwrapped URLs and run the full content inspection. I'm sure MDATP support and de-obfuscation of proxied URLs will be very well received.

Is there a more in-depth compatibility list in addition to this ?

Does MDATP actively monitor and inspect DNS traffic on the endpoint? What if some other endpoint products change DNS settings to Perhaps you can comment on my unanswered query here - Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Client

Occasional Contributor

@Dan Michelson This is great, and assuming this is now production - do you know if MCAS supports this extended event data for Cloud Discovery?


I believe MCAS has native Proxy log support for Zscaler, Bluecoat etc. Therefore there should be no problem with picking "hosts" from prox logs in MCAS.

Version history
Last update:
‎May 24 2020 11:49 PM
Updated by: