Skip to main content

Cortex XDR - Port Scan - Adjusted

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’.

The playbook consists of the following procedures:

  • Enrichment and investigation of the scanner and scanned hostname and IP address.
  • Enrichment and investigation of the initiator user, process, file, or command if it exists.
  • Detection of related indicators and analysis of the relationship between the detected indicators.
  • Utilize the detected indicators to conduct threat hunting.
  • Blocks detected malicious indicators.
  • Endpoint isolation.

This playbook supports the following Cortex XDR alert names:

  • Suspicious port scan
  • Port scan by suspicious process
  • Highly suspicious port scan
  • Port scan


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block Indicators - Generic v3
  • Account Enrichment - Generic v2.1
  • File Enrichment - Generic v2
  • Threat Hunting - Generic
  • Cortex XDR - Isolate Endpoint
  • Cortex XDR - Endpoint Investigation
  • User Investigation - Generic
  • IP Enrichment - Generic v2
  • TIM - Indicator Relationships Analysis
  • Command-Line Analysis


This playbook does not use any integrations.


  • Set
  • IsIPInRanges
  • GetTime


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Required
UsernameThe user name used for port scanning.PaloAltoNetworksXDR.Incident.alerts.user_nameOptional
SrcIPAddressThe source IP address from which the port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.action_local_ipOptional
DstIPAddressScanned destination IP address.PaloAltoNetworksXDR.Incident.alerts.action_remote_ipOptional
DstPortScanned port numbers.PaloAltoNetworksXDR.Incident.alerts.action_remote_portOptional
EarlyContainmentWhether early containment should be allowed when the IP address is known to be malicious.
Possible values:True/False. Default:True.
SrcHostnameSource host name from which port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.host_nameOptional
EndpointIDSource endpoint ID from which port scanning was initiated.PaloAltoNetworksXDR.Incident.alerts.endpoint_idOptional
Initiator_CMDThe command used to initiate port scan activity.PaloAltoNetworksXDR.Incident.alerts.action_process_image_command_lineOptional
Initiator_Process_SHA256Process SHA256 file hash initiated port scanning.PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256Optional
AutoIsolateEndpointWhether to automatically isolate endpoints.FalseRequired
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.

Playbook Outputs#

PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker hostnames from the port scan alert.unknown
PortScan.AttackerUsernameAttacker username from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral Movement First Date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort Scan First Date timeunknown

Playbook Image#

Cortex XDR - Port Scan - Adjusted