In my organization we has recieved multiple alerts recently regarding suspicious communication towards our WEB servers.
The communication was from a workstation in the organization but we can't understand from which workstation because the communication was made through our proxy (the source workstation in the alert is the proxy server).
Is there a way to configure the Cortex XDR to full visibilty that will show us what is the source workstation behind a proxy (without activating the Data lake)?
Do you have any information on the alert what is the suspicious communication all about? Something to start with in terms of investigating? If you have Pro license, there is analytics and analytics bioc incidents/alerts that you can check. But if you have specific information to start with, you can use query builder/xql to start your investigation/threat hunting
Did I understand correctly and you don't have cortex installed on the workstation, only on the webserver? If not and you have cortex on the workstation, then as mentionned by @jcandelaria you can start searching in the logs for thw connections to your proxy at that time (requires xdr pro)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!