Cortex XDR - Port Scan - Adjusted

Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection.

The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • IP Enrichment - Internal - Generic v2

Integrations

This playbook does not use any integrations.

Scripts

  • IsIPInRanges
  • SetAndHandleEmpty
  • AssignAnalystToIncident

Commands

  • send-mail

Playbook Inputs


NameDescriptionDefault ValueRequired
WhitelistedPortsA list of comma-separated ports that should not be blocked even if used in an attack.Optional
BlockAttackerIPDetermines whether attacking IPs should be automatically blocked using firewalls.FalseOptional
EmailAddressesToNotifyA list of comma-separated values of email addresses that should receive a notification about compromised hosts.Optional
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
RoleForEscalationThe name of the Cortex XSOAR role of the users that the incident can be escalated to in case of developments like lateral movement. If this input is left empty, no escalation will take place.Optional
OnCallSet to true to assign only the users that are currently on shift.falseOptional
xdr_alert_idUnique ID for the XDR alert.Optional

Playbook Outputs


PathDescriptionType
PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker hostnames from the port scan alert.unknown
PortScan.AttackerUsernameAttacker username from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral Movement First Date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort Scan First Date timeunknown

Playbook Image


Cortex XDR - Port Scan - Adjusted