Skip to main content

Cortex XDR - Port Scan - Adjusted

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’.

The playbook consists of the following procedures:

  • Enrichment and investigation of the scanner and scanned hostname and IP address.
  • Enrichment and investigation of the initiator user, process, file, or command if it exists.
  • Detection of related indicators and analysis of the relationship between the detected indicators.
  • Utilize the detected indicators to conduct threat hunting.
  • Blocks detected malicious indicators.
  • Endpoint isolation.

This playbook supports the following Cortex XDR alert names:

  • Suspicious port scan
  • Port scan by suspicious process
  • Highly suspicious port scan
  • Port scan.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - Endpoint Investigation
  • Account Enrichment - Generic v2.1
  • Cortex XDR - Isolate Endpoint
  • TIM - Indicator Relationships Analysis
  • User Investigation - Generic
  • Command-Line Analysis
  • Block Indicators - Generic v3
  • File Enrichment - Generic v2
  • IP Enrichment - Generic v2
  • Threat Hunting - Generic


This playbook does not use any integrations.


  • IsIPInRanges
  • GetTime
  • Set


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
InternalIPRangesA list of IP ranges to check the IP against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional
UsernameThe user name used for port scanning.PaloAltoNetworksXDR.Incident.alerts.user_nameOptional
SrcIPAddressThe source IP address from which the port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.action_local_ipOptional
DstIPAddressScanned destination IP address.PaloAltoNetworksXDR.Incident.alerts.action_remote_ipOptional
DstPortScanned port numbers.PaloAltoNetworksXDR.Incident.alerts.action_remote_portOptional
EarlyContainmentWhether early containment should be allowed when the IP address is known to be malicious.
Possible values:True/False. Default:True.
SrcHostnameSource host name from which port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.host_nameOptional
EndpointIDSource endpoint ID from which port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.endpoint_idOptional
Initiator_CMDThe command used to initiate port scan activity.PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_lineOptional
Initiator_Process_SHA256Process SHA256 file hash initiated port scanning.PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256Optional
AutoIsolateEndpointWhether to automatically isolate endpoints.FalseRequired
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.

Playbook Outputs#

PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker hostnames from the port scan alert.unknown
PortScan.AttackerUsernameAttacker username from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral Movement First Date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort Scan First Date time.unknown

Playbook Image#

Cortex XDR - Port Scan - Adjusted