https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227767#M1474 <P><SPAN>Hello!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Ensure your cloud account has network flow logs set up.&nbsp;</SPAN></P> <P><SPAN><A href="https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/configure-flow-logs" target="_blank">https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/configure-flow-logs</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Here is a quick summary of the basic steps required to configure a cloud environment to generate port scan activity that will be detected by Prisma Cloud:</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Create two cloud instances within the same virtual network and subnet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Configure the security group of the instances to allow the network traffic in the virtual network to be captured correctly.&nbsp;<STRONG><I>It is critical that the security group only has inbound rules that allow specific services (ports) and it is not set with the too permissive ACCEPT ALL rule.</I></STRONG>&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Connect to one of the cloud instances, which will be used to generate the port scan, to install the Network Mapper (NMAP) tool.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-30 at 10.10.53 AM.png" style="width: 227px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67361iBC4799712043D4BF/image-dimensions/227x26?v=v2" width="227" height="26" role="button" title="Screenshot 2025-04-30 at 10.10.53 AM.png" alt="Screenshot 2025-04-30 at 10.10.53 AM.png" /></span></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Run the NMAP tool to generate the necessary network traffic.</SPAN><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-30 at 10.06.42 AM.png" style="width: 270px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67360i7419D5B1794A57E1/image-dimensions/270x34?v=v2" width="270" height="34" role="button" title="Screenshot 2025-04-30 at 10.06.42 AM.png" alt="Screenshot 2025-04-30 at 10.06.42 AM.png" /></span></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Access the monitoring service to confirm that the network flow logs from running NMAP have been generated successfully. In AWS, monitoring is provided through the CloudWatch service.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Confirm that the corresponding alerts have been generated in Prisma Cloud.</SPAN></LI> </OL> Wed, 30 Apr 2025 14:11:43 GMT LMegrelis 2025-04-30T14:11:43Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227291#M1468 <P>PrismaCloudの機能確認として、監視対象のAWSサーバに対して、外部のパブリックIPアドレスを持つサーバから50以上のポートを対象にポートスキャンしましたが、アノマリ検知アラートが上がりません。<BR />アノマリ、アラートの設定の見直しは行っており、使用開始してから1ケ月以上の時間もたっているので機械学習なども特に影響はないと考えています。</P> Thu, 24 Apr 2025 04:42:24 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227291#M1468 rnakamura1 2025-04-24T04:42:24Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227366#M1471 <P>Hello!&nbsp;</P> <P>&nbsp;</P> <P>I would recommend setting your anomaly policy threshold as per our documentation.&nbsp;</P> <P><A href="https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/anomalies/anomaly-thresholds" target="_blank">https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/anomalies/anomaly-thresholds</A></P> <P>&nbsp;</P> <P>Also an important factor to consider is&nbsp;<STRONG><SPAN>A condition for the port scan policies to work, is that it should find REJECTED traffic.</SPAN></STRONG></P> <P>&nbsp;</P> <P>This documentation below gives further context into the policy's behavior.&nbsp;</P> <P><STRONG><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saJbCAI" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saJbCAI</A></SPAN></STRONG></P> <P>&nbsp;</P> Thu, 24 Apr 2025 15:22:40 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227366#M1471 LMegrelis 2025-04-24T15:22:40Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227718#M1473 <P>ご返信ありがとうございます。<BR />案内いただいたドキュメントも確認しましたが、やはり検知を確認できません。<BR /><BR />ポートスキャンの検知を行うには、異常とみなされるためにポートスキャンの種類(TCP,UDPなど)やスキャン元のリージョン(USなど)、スキャンの方法(Masscanなど)など、50以上のポートをスキャンすること以外にも制約があるのでしょうか。<BR /><BR />ポートスキャンの検知のテストができないと、リリース判定が通りません。<BR />自分で意図的にポートスキャンの検知を行うには具体的にどうすればよいかお教えいただきたいです。<BR />宜しくお願い致します。</P> Wed, 30 Apr 2025 01:01:43 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227718#M1473 rnakamura1 2025-04-30T01:01:43Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227767#M1474 <P><SPAN>Hello!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Ensure your cloud account has network flow logs set up.&nbsp;</SPAN></P> <P><SPAN><A href="https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/configure-flow-logs" target="_blank">https://docs.prismacloud.io/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-aws/configure-flow-logs</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Here is a quick summary of the basic steps required to configure a cloud environment to generate port scan activity that will be detected by Prisma Cloud:</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Create two cloud instances within the same virtual network and subnet.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Configure the security group of the instances to allow the network traffic in the virtual network to be captured correctly.&nbsp;<STRONG><I>It is critical that the security group only has inbound rules that allow specific services (ports) and it is not set with the too permissive ACCEPT ALL rule.</I></STRONG>&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Connect to one of the cloud instances, which will be used to generate the port scan, to install the Network Mapper (NMAP) tool.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-30 at 10.10.53 AM.png" style="width: 227px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67361iBC4799712043D4BF/image-dimensions/227x26?v=v2" width="227" height="26" role="button" title="Screenshot 2025-04-30 at 10.10.53 AM.png" alt="Screenshot 2025-04-30 at 10.10.53 AM.png" /></span></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Run the NMAP tool to generate the necessary network traffic.</SPAN><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-30 at 10.06.42 AM.png" style="width: 270px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67360i7419D5B1794A57E1/image-dimensions/270x34?v=v2" width="270" height="34" role="button" title="Screenshot 2025-04-30 at 10.06.42 AM.png" alt="Screenshot 2025-04-30 at 10.06.42 AM.png" /></span></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Access the monitoring service to confirm that the network flow logs from running NMAP have been generated successfully. In AWS, monitoring is provided through the CloudWatch service.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Confirm that the corresponding alerts have been generated in Prisma Cloud.</SPAN></LI> </OL> Wed, 30 Apr 2025 14:11:43 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/%E3%83%9D%E3%83%BC%E3%83%88%E3%82%B9%E3%82%AD%E3%83%A3%E3%83%B3%E3%81%AE%E3%82%A2%E3%83%8E%E3%83%9E%E3%83%AA%E6%A4%9C%E7%9F%A5%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/m-p/1227767#M1474 LMegrelis 2025-04-30T14:11:43Z