https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538711#M4122 <P>Hi,</P> <P>&nbsp;</P> <P>You can probably use this, please see below:</P> <P>&nbsp;</P> <P>Correlation Alert Rule Query:</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter action_remote_port &lt; 1025 //You can increase this number according to your needs but port range till 1025 will be good enough. | fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port | comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP | filter Counter &gt; 25 //Adjust the counter value according to your needs.</LI-CODE> <P>&nbsp;</P> <P>For alert drill down, please use below:</P> <LI-CODE lang="markup">config case_sensitive = false | dataset = xdr_data | filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP | fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path </LI-CODE> <P>&nbsp;</P> <P>Please let us know the outcome.</P> Fri, 14 Apr 2023 05:35:21 GMT KanwarSingh01 2023-04-14T05:35:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538579#M4109 <P><SPAN><SPAN class="ui-provider gq b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Hello,</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN><SPAN class="ui-provider gq b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Can you please help with co- relation rule for detecting one host scanning multiple ports</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN><SPAN class="ui-provider gq b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Regards,</SPAN></SPAN></P> <P><SPAN><SPAN class="ui-provider gq b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Shashank</SPAN></SPAN></P> Thu, 13 Apr 2023 08:43:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538579#M4109 Shashanksinha 2023-04-13T08:43:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538675#M4119 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching LIVEcommunity.</P> <P>&nbsp;</P> <P>I'm doing some research to look into this and will get back to you as soon as I can.</P> <P>&nbsp;</P> Fri, 14 Apr 2023 00:31:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538675#M4119 anlynch 2023-04-14T00:31:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538711#M4122 <P>Hi,</P> <P>&nbsp;</P> <P>You can probably use this, please see below:</P> <P>&nbsp;</P> <P>Correlation Alert Rule Query:</P> <LI-CODE lang="markup">config case_sensitive = false | preset = network_story | filter action_remote_port &lt; 1025 //You can increase this number according to your needs but port range till 1025 will be good enough. | fields agent_hostname as Hostname, action_local_ip as SRC_IP, action_remote_ip as DST_IP, action_remote_port as DST_Port | comp count_distinct(DST_Port) as Counter by Hostname, SRC_IP, DST_IP | filter Counter &gt; 25 //Adjust the counter value according to your needs.</LI-CODE> <P>&nbsp;</P> <P>For alert drill down, please use below:</P> <LI-CODE lang="markup">config case_sensitive = false | dataset = xdr_data | filter action_local_ip = $SRC_IP and action_remote_ip = $DST_IP | fields agent_hostname as Hostname, action_local_ip, action_remote_ip, action_remote_port, actor_process_image_name, actor_process_command_line, actor_effective_username, actor_process_image_path </LI-CODE> <P>&nbsp;</P> <P>Please let us know the outcome.</P> Fri, 14 Apr 2023 05:35:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/co-relation-rule-for-detecting-one-host-scanning-multiple-ports/m-p/538711#M4122 KanwarSingh01 2023-04-14T05:35:21Z