Network Visibility on Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Network Visibility on Cortex XDR

L0 Member

Hello,

In my organization we has recieved multiple alerts recently regarding suspicious communication towards our WEB servers.
The communication was from a workstation in the organization but we can't understand from which workstation because the communication was made through our proxy (the source workstation in the alert is the proxy server).

 

Is there a way to configure the Cortex XDR to full visibilty that will show us what is the source workstation behind a proxy (without activating the Data lake)?

 

4 REPLIES 4

L2 Linker

If Cortex XDR is setup on the endpoint and the process or file that performs such a scan is identified as a malicious behaviour or has a malicious file attached to it, it should flag an alert from XDR agent. However based on my understanding Data lake will be required for this.

L3 Networker

Dear Ruslanal,

You can also add IOC for specific domain and XDR would be altered each time when your workstation reached that web server. 

L3 Networker

Hi Ruslanal,

Do you have any information on the alert what is the suspicious communication all about? Something to start with in terms of investigating? If you have Pro license, there is analytics and analytics bioc incidents/alerts that you can check. But if you have specific information to start with, you can use query builder/xql to start your investigation/threat hunting

L7 Applicator

Hi @ruslanal 

Did I understand correctly and you don't have cortex installed on the workstation, only on the webserver? If not and you have cortex on the workstation, then as mentionned by @jcandelaria you can start searching in the logs for thw connections to your proxy at that time (requires xdr pro)

  • 2947 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!