Enterprise EDR: How to search for proxy network connections
Article ID: 290651
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Query for proxy network connections on the Investigate page
Environment
- Enterprise EDR Web Console: All Versions
- Enterprise EDR Windows Sensor: 3.5.x.x and higher
- Microsoft Windows: All Supported Versions
Resolution
Starting September 3rd 2020 VMware Carbon Black implemented the ability to query for proxy network connections on the Processes tab on the Investigate page via the following four search fields:
- netconn_proxy_ipv4:
- netconn_proxy_ipv6:
- netconn_proxy_port:
- netconn_proxy_domain:
Additional Information
Please see below for the following caveats with the initial implementation of the above search fields:
- Only unencrypted traffic between the endpoint and the proxy can be detected at this time
- There will be 2 netconn events
- When the initial connection is established
- The second event will adjust the remote ip/domain/port fields when a proxy is detected
- The netconn_count will only count one event, this will be investigated for improvement in the future
Feedback
Yes
No
Powered by
