https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unusual-server-port-activity-internal-alerts-potential-false/m-p/364889#M336 <P>I have the thresholds for Unusual Server Port Internal activity set to the most conservative settings to minimize false positives but it seems like the highest port consistently gets flagged as "unusual".&nbsp; In the example below there are 15 ports labeled as usual and the Kafka port (9092) is being flagged as unusual.&nbsp; Upon further investigation we always find out that this is the intended purpose and traffic volumes support that this is normal activity.&nbsp; For example another similar alert was fired off on MongoDB but going into the investigate tab I can see months and hundreds of Gb of Mongo DB traffic so it should NOT have flagged this traffic coming from a host labeled as MongoDB (not that the naming convention has anything to do with it but I had to figure out if the resource this was connected to was legit a MongoDB server and client).<BR /><BR />I may enter a feature request to give "allowed ports" check box based on alerts generated for Unusual server port Internal.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="UnusualHighPortActivity.png" style="width: 794px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28771iA6A337416AEE3542/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="UnusualHighPortActivity.png" alt="UnusualHighPortActivity.png" /></span></P> Mon, 23 Nov 2020 17:24:34 GMT Retired Member 2020-11-23T17:24:34Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unusual-server-port-activity-internal-alerts-potential-false/m-p/364889#M336 <P>I have the thresholds for Unusual Server Port Internal activity set to the most conservative settings to minimize false positives but it seems like the highest port consistently gets flagged as "unusual".&nbsp; In the example below there are 15 ports labeled as usual and the Kafka port (9092) is being flagged as unusual.&nbsp; Upon further investigation we always find out that this is the intended purpose and traffic volumes support that this is normal activity.&nbsp; For example another similar alert was fired off on MongoDB but going into the investigate tab I can see months and hundreds of Gb of Mongo DB traffic so it should NOT have flagged this traffic coming from a host labeled as MongoDB (not that the naming convention has anything to do with it but I had to figure out if the resource this was connected to was legit a MongoDB server and client).<BR /><BR />I may enter a feature request to give "allowed ports" check box based on alerts generated for Unusual server port Internal.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="UnusualHighPortActivity.png" style="width: 794px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28771iA6A337416AEE3542/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="UnusualHighPortActivity.png" alt="UnusualHighPortActivity.png" /></span></P> Mon, 23 Nov 2020 17:24:34 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unusual-server-port-activity-internal-alerts-potential-false/m-p/364889#M336 Retired Member 2020-11-23T17:24:34Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unusual-server-port-activity-internal-alerts-potential-false/m-p/511714#M606 <P>Greetings Ramyfrahman,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Fri, 12 Aug 2022 14:38:00 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/unusual-server-port-activity-internal-alerts-potential-false/m-p/511714#M606 AKing9 2022-08-12T14:38:00Z