This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Port scan alert

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Port scan alert

OMammadov1
L1 Bithead

‎01-04-2025 08:02 AM - edited ‎01-05-2025 03:44 AM

Hi everyone,

 

There is some situation in our case.

 

For example there is 2 windows host. Host1 and Host2. Host1 have XDR. But Host2 not. If Host2 executes port scan action (it doesn't matter which tool is using -- nmap, zenmap and etc) to Host1 in this case i cannot receive any alert for this action without NGFW. Is there any option to detect this action and make this event as alert in Cortex XDR?

 

Thanks in advance! 

0 Likes Likes
5 REPLIES 5

Mudhireddy
L3 Networker

‎01-04-2025 12:06 PM

Yes, XDR Analytics detects the port scan events and creates an alert in the alert table.

Read more details https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-s...

Best Regards,
Suresh
0 Likes Likes

OMammadov1
L1 Bithead
In response to Mudhireddy

‎01-05-2025 05:39 AM - edited ‎01-05-2025 05:48 AM

In this case, do i need to enable windows firewall? or do i need to do additional things for this rule to work? or Host Firewall policy in Cortex?.Because i found this rule -- "Enumeration of Windows services from public IP addresses" and  the ATT&CK Tactic and ATT&CK Technique are the same as those in the link you provided.

0 Likes Likes

OMammadov1
L1 Bithead

‎01-05-2025 09:59 AM - edited ‎01-05-2025 10:00 AM

On the other hand im talking about host's incoming and outgoing network. For example, if someone executes port scan action (via some tool like nmap or zenmap) to another users computer(which is have XDR agent) in this case i need to detect this action.

0 Likes Likes

Mudhireddy
L3 Networker
In response to OMammadov1

‎01-06-2025 07:34 AM

you don't required any thing from windows side settings, configure your XDR agent-setting profile with PRO features to collect the EED logs to get the alerts from analytics.

 

Thanks,

Suresh

 

Best Regards,
Suresh
0 Likes Likes

OMammadov1
L1 Bithead
In response to Mudhireddy

‎01-07-2025 03:59 AM

I have configured the profiles correctly in Cortex XDR include agent settings. But there is no alert.

0 Likes Likes
  • 181 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks