https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297248#M694 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Hows it going? As always you have many good suggestions. I decided to change the action to drop. I currently don't have mine meld and doesn't that cost?&nbsp; I currently do not have a SIEM setup yet I may need to look into that</P> Fri, 08 Nov 2019 14:12:11 GMT jdprovine 2019-11-08T14:12:11Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297081#M692 <P>I am getting this alert&nbsp;Masscan Port Scanning Tool Detection' what can I do that will stop the scanning, I would think I would need to do more that alert and when I check the threat database it didn't really offer much&nbsp;</P> Thu, 07 Nov 2019 17:14:18 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297081#M692 jdprovine 2019-11-07T17:14:18Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297150#M693 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>The default action for this is simply to alert. As is, I generally set it so anything coming from external resources with a severity great-or-equal to medium gets reset, regardless of default action. You might want to look at making the same modification to the threat profile utilized on your external security entries.&nbsp;</P><P>One of the thing you might want to look at is the firewalls built-in block-ip option that can limit the source-ip from connecting for a set duration. You can also setup MineMeld to pull indicators from the threat logs (either through log-forwarding to a SIEM or directly through the API) so you can feed these into a block-list so to speak by utilizing the EDL functionality.&nbsp;</P> Fri, 08 Nov 2019 03:46:39 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297150#M693 BPry 2019-11-08T03:46:39Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297248#M694 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>Hows it going? As always you have many good suggestions. I decided to change the action to drop. I currently don't have mine meld and doesn't that cost?&nbsp; I currently do not have a SIEM setup yet I may need to look into that</P> Fri, 08 Nov 2019 14:12:11 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297248#M694 jdprovine 2019-11-08T14:12:11Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297349#M695 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>The product is included with AutoFocus which does have a cost associated with it that has caused a fair amount of confusion; MineMeld itself however is open-source and can be installed by itself without any cost associated.&nbsp;</P><P>You can get the indicators added automatically to MineMeld using some scripts to pull a custom report through the API, and feeding the indicators into a file that gets fed into MineMeld as an indicator list. I might write a post about that one of these days.&nbsp;</P> Fri, 08 Nov 2019 17:45:49 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/masscan-port-scanning-tool-detection/m-p/297349#M695 BPry 2019-11-08T17:45:49Z