Skip to main content

Cortex XDR - Port Scan

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:

  • Syncs data with Cortex XDR
  • Enriches the hostname and IP address of the attacking endpoint
  • Notifies management about host compromise
  • Escalates the incident in case of lateral movement alert detection
  • Hunts malware associated with the alerts across the organization
  • Blocks detected malware associated with the incident
  • Blocks IPs associated with the malware
  • Isolates the attacking endpoint
  • Allows manual blocking of ports that were used for host login following the port scan Supported Cortex XSOAR versions: 5.0.0 and later.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Isolate Endpoint - Generic
  • Block File - Generic v2
  • PANW - Hunting and threat detection by indicator type V2
  • Block IP - Generic v2
  • Calculate Severity - Generic v2
  • IP Enrichment - Internal - Generic v2


  • CortexXDRIR


  • StopScheduledTask
  • AssignAnalystToIncident
  • XDRSyncScript
  • IsIPInRanges
  • SetAndHandleEmpty


  • setIncident
  • closeInvestigation
  • xdr-update-incident
  • xdr-get-endpoints
  • send-mail

Playbook Inputs#

NameDescriptionDefault ValueRequired
WhitelistedPortsA list of comma-separated ports that should not be blocked even if used in an attack.Optional
BlockAttackerIPWhether attacking IPs should be automatically blocked using firewalls.FalseOptional
WhitelistedHostnamesA list of comma-separated hostnames that should not be isolated even if used in an attack.AdminPCOptional
EmailAddressesToNotifyA list of comma-separated values of email addresses that should receive a notification about compromised hosts.Optional
CriticalUsernamesA list of comma-separated names of critical users in the organization. This will affect the calculated severity of the incident.Optional
IsolateEndpointAutomaticallyWhether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.FalseOptional
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
CriticalHostnamesA list of comma-separated names of critical endpoints in the organization. This will affect the calculated severity of the incident.AdminPCOptional
RoleForEscalationThe name of the Cortex XSOAR role of the users that the incident can be escalated to in case of developments like lateral movement.Optional
BlockMaliciousFilesWhether to automatically block malicious files involved with the incident across all endpoints in the organization.FalseOptional
CriticalADGroupsCSV of DN names of critical Active Directory groups. This will affect the severity calculated for this incident.adminsOptional
OnCallSet to true to assign only the users that are currently on shift.falseOptional

Playbook Outputs#

There are no outputs for this playbook.