1. Review DNS traffic on the DNS Summary activity report. For more information on this report, see Summary of DNS activity.
2. If DNS traffic is not logged, verify that the primary DNS server in your network forwards requests to ETP DNS servers.

1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic.
2. If proxy traffic is not reported:
   1. Confirm that the domain or IP address of the traffic is not configured in an exception list or the Allow custom list that was migrated from Quick Lists.
   2. Confirm that the domain or IP address of the traffic is not configured in a custom list that is assigned an Allow action in a policy. The Allow action permits domains and IP addresses in the list to bypass the ETP proxy.

1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic
2. If TLS traffic is not reported, confirm that the trusted root certificate an ETP administrator generated or signed in ETP is deployed to the user’s computer.
3. Confirm that no TLS errors appear.

1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic
2. If the application traffic is not logged, confirm that the certificate is distributed and configured properly in your network. For example, if certificate pinning is used, ensure that the certificate you generated or signed with is correctly saved.

To workaround this issue, you can also add the application to a custom list that is configured in a policy with the Allow action. The Allow action permits domains and IP addresses in the list to bypass the ETP proxy.

For more information, see Edit a custom list and Edit a policy.

1. Search for the domain on the Indicator Search page and confirm the action that was taken on the event. See Search for threats based on domain.
2. Review existing custom lists and check whether the policy is associated with a custom list.
3. If the domain is assigned to a custom list, review existing policies and confirm that the Allow or Monitor action is not assigned to the custom list with the malicious domain.

• Install and distribute ETP Client on end user machines. See ETP Client for DNS and risky web traffic.
• Deploy Enterprise Security Connector in your network. In a policy action, you can then assign the Block - Sinkhole action for lists such as lists that are assigned the Command and Control (C&C) category and select the security connector you deployed. See Security Connector as a DNS sinkhole. To create or edit a policy, see Create a policy or Edit a policy.