Port Scan

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

Detector Tags

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Informational

Description

The endpoint connected, or attempted to connect, to multiple privileged ports (lower than port 1024), which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).
Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.
Coverage for port scans using data arriving solely from Cortex agents is incomplete.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.

Variations

Port scan by suspicious process

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Low

Description

The endpoint connected, or attempted to connect, to multiple privileged ports (lower than port 1024), which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).
Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.
Coverage for port scans using data arriving solely from Cortex agents is incomplete.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.


Highly suspicious port scan

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Medium

Description

The endpoint connected, or attempted to connect, to multiple privileged ports (lower than port 1024), which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).
Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.
Coverage for port scans using data arriving solely from Cortex agents is incomplete.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.


Suspicious port scan

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Low

Description

The endpoint connected, or attempted to connect, to multiple privileged ports (lower than port 1024), which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).
Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.
Coverage for port scans using data arriving solely from Cortex agents is incomplete.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.