An internal Cloud resource performed port scan on external networks

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Flow Log
      OR
    • AWS OCSF Flow Logs
      OR
    • Azure Flow Log
      OR
    • Gcp Flow Log

Detection Modules

Cloud

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.
This may be a result of the cloud resource being hijacked by an attacker.
Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.

Attacker's Goals

Detect vulnerable services, which listen on known ports and are opened to the Internet.

Investigative actions

  • Check if similar activity was performed on additional cloud resources.
  • Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource.
  • Check which process triggered the port scanning activity and for what purpose.