This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

reconnaissance protection alert search

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

reconnaissance protection alert search

Jameslee20
L2 Linker

‎10-22-2024 09:23 AM

reconnaissance protection alert search

We have alerts set up but I need to search for the alerts but what is the search string 

0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎10-22-2024 10:48 PM

Hello @Jameslee20

 

thanks for post!

 

You can use this filter: ( subtype eq 'scan' ) in Threat logs.

It includes Host Sweep (ID 8002), TCP Port Scan(ID 8001) and UDP Port Scan (ID 8003).

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Jameslee20
L2 Linker
In response to PavelK

‎10-29-2024 04:43 AM

nothing pop is there another scan

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎10-29-2024 04:11 PM

Hello @Jameslee20

 

thank you for reply.

 

The filter ( subtype eq 'scan' ) is a Threat type filter that will display all types of scanning events. Since nothing shows up in logs in your case, could you confirm below points:

 

- Did you enable "Log Setting" under zone where zone protection is enabled? Please refer to this KB: Difference between Log Forwarding for a Zone and Security Policy Log Forwarding (Scroll down to section "Zone Log Forwarding").

- Could you review this KB: Zone Protection Profile Not Generating Logs During Penetration Scan? There are no threat logs if there is "deny" action in security policy.

- Could you review this KB: How to investigate "SCAN: TCP Port Scan" alerts? The scanning event will be generated only when scan exceeds the Threshold (Events) within the Interval (Sec) defined in the Zone Protection profile applied to the ingress Zone for TCP Port Scan.

- Could you make sure that traffic you are investigating is not included in the exception list (source address exclusion)?

 

Kind Regards

Pavel   

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 333 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks