reconnaissance protection alert search

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

reconnaissance protection alert search

L2 Linker

reconnaissance protection alert search

We have alerts set up but I need to search for the alerts but what is the search string 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @Jameslee20

 

thanks for post!

 

You can use this filter: ( subtype eq 'scan' ) in Threat logs.

It includes Host Sweep (ID 8002), TCP Port Scan(ID 8001) and UDP Port Scan (ID 8003).

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

nothing pop is there another scan

Cyber Elite
Cyber Elite

Hello @Jameslee20

 

thank you for reply.

 

The filter ( subtype eq 'scan' ) is a Threat type filter that will display all types of scanning events. Since nothing shows up in logs in your case, could you confirm below points:

 

- Did you enable "Log Setting" under zone where zone protection is enabled? Please refer to this KB: Difference between Log Forwarding for a Zone and Security Policy Log Forwarding (Scroll down to section "Zone Log Forwarding").

- Could you review this KB: Zone Protection Profile Not Generating Logs During Penetration Scan? There are no threat logs if there is "deny" action in security policy.

- Could you review this KB: How to investigate "SCAN: TCP Port Scan" alerts? The scanning event will be generated only when scan exceeds the Threshold (Events) within the Interval (Sec) defined in the Zone Protection profile applied to the ingress Zone for TCP Port Scan.

- Could you make sure that traffic you are investigating is not included in the exception list (source address exclusion)?

 

Kind Regards

Pavel   

Help the community: Like helpful comments and mark solutions.
  • 399 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!