06-23-2021 05:01 AM
In my organization we has recieved multiple alerts recently regarding suspicious communication towards our WEB servers.
The communication was from a workstation in the organization but we can't understand from which workstation because the communication was made through our proxy (the source workstation in the alert is the proxy server).
Is there a way to configure the Cortex XDR to full visibilty that will show us what is the source workstation behind a proxy (without activating the Data lake)?
06-23-2021 05:25 AM
If Cortex XDR is setup on the endpoint and the process or file that performs such a scan is identified as a malicious behaviour or has a malicious file attached to it, it should flag an alert from XDR agent. However based on my understanding Data lake will be required for this.
06-23-2021 06:01 AM
You can also add IOC for specific domain and XDR would be altered each time when your workstation reached that web server.
06-23-2021 09:49 AM
Do you have any information on the alert what is the suspicious communication all about? Something to start with in terms of investigating? If you have Pro license, there is analytics and analytics bioc incidents/alerts that you can check. But if you have specific information to start with, you can use query builder/xql to start your investigation/threat hunting
06-26-2021 03:26 AM
Did I understand correctly and you don't have cortex installed on the workstation, only on the webserver? If not and you have cortex on the workstation, then as mentionned by @jcandelaria you can start searching in the logs for thw connections to your proxy at that time (requires xdr pro)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!