https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/613429#M121133 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144255">@Jameslee20</a></P> <P>&nbsp;</P> <P>thanks for post!</P> <P>&nbsp;</P> <P>You can use this filter:&nbsp;( subtype eq 'scan' ) in Threat logs.</P> <P>It includes&nbsp;Host Sweep (ID 8002), TCP Port Scan(ID 8001) and UDP Port Scan (ID 8003).</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 23 Oct 2024 05:48:12 GMT PavelK 2024-10-23T05:48:12Z https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/612472#M120947 <P>reconnaissance protection alert search</P> <P>We have alerts set up but I need to search for the alerts but what is the search string&nbsp;</P> Tue, 22 Oct 2024 16:23:56 GMT https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/612472#M120947 Jameslee20 2024-10-22T16:23:56Z https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/613429#M121133 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144255">@Jameslee20</a></P> <P>&nbsp;</P> <P>thanks for post!</P> <P>&nbsp;</P> <P>You can use this filter:&nbsp;( subtype eq 'scan' ) in Threat logs.</P> <P>It includes&nbsp;Host Sweep (ID 8002), TCP Port Scan(ID 8001) and UDP Port Scan (ID 8003).</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 23 Oct 2024 05:48:12 GMT https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/613429#M121133 PavelK 2024-10-23T05:48:12Z https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/615568#M121821 <P>nothing pop is there another scan</P> Tue, 29 Oct 2024 11:43:04 GMT https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/615568#M121821 Jameslee20 2024-10-29T11:43:04Z https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/615650#M121834 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144255">@Jameslee20</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>The filter <SPAN>( subtype eq 'scan' ) is a Threat type filter that will display all types of scanning events. Since nothing shows up in logs in your case, could you confirm below points:</SPAN></P> <P>&nbsp;</P> <P><SPAN>- </SPAN>Did you enable "Log Setting" under zone where zone protection is enabled? Please refer to this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHICA0" target="_self">Difference between Log Forwarding for a Zone and Security Policy Log Forwarding</A>&nbsp;(Scroll down to section "Zone Log Forwarding").</P> <P>- Could you review this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbCCAS" target="_self">Zone Protection Profile Not Generating Logs During Penetration Scan</A>?&nbsp;There are no threat logs if there is "deny" action in security policy.</P> <P>- Could you review this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM5ICAU" target="_self">How to investigate "SCAN: TCP Port Scan" alerts</A>? The scanning event will be generated only when scan exceeds the&nbsp;Threshold (Events) within the Interval (Sec) defined in the Zone Protection profile applied to the ingress Zone for TCP Port Scan.</P> <P>- Could you make sure that traffic you are investigating is not included in the exception list (source address exclusion)?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp; &nbsp;</P> Tue, 29 Oct 2024 23:11:01 GMT https://live.paloaltonetworks.com/t5/general-topics/reconnaissance-protection-alert-search/m-p/615650#M121834 PavelK 2024-10-29T23:11:01Z