Skip to main content

Cortex XDR - Port Scan - Adjusted

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Investigates a Cortex XDR incident containing internal port scan alerts. The playbook:

  • Syncs data with Cortex XDR.
  • Notifies management about a compromised host.
  • Escalates the incident in case of lateral movement alert detection.

The playbook is designed to run as a sub-playbook in 'Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling'. It depends on the data from the parent playbooks and can not be used as a standalone version.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • IP Enrichment - Internal - Generic v2

Integrations#

This playbook does not use any integrations.

Scripts#

  • SetAndHandleEmpty
  • IsIPInRanges
  • AssignAnalystToIncident

Commands#

  • send-mail

Playbook Inputs#


NameDescriptionDefault ValueRequired
WhitelistedPortsA list of comma-separated ports that should not be blocked even if used in an attack.Optional
BlockAttackerIPDetermines whether attacking IPs should be automatically blocked using firewalls.FalseOptional
EmailAddressesToNotifyA list of comma-separated values of email addresses that should receive a notification about compromised hosts.Optional
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
RoleForEscalationThe name of the Cortex XSOAR role of the users that the incident can be escalated to in case of developments like lateral movement. If this input is left empty, no escalation will take place.Optional
OnCallSet to true to assign only the users that are currently on shift.falseOptional
xdr_alert_idUnique ID for the XDR alert.Optional
InternalIPRangePlease use "InternalIPRanges" input instead.
This input is deprecated.
Optional

Playbook Outputs#


PathDescriptionType
PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker hostnames from the port scan alert.unknown
PortScan.AttackerUsernameAttacker username from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral Movement First Date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort Scan First Date timeunknown

Playbook Image#


Cortex XDR - Port Scan - Adjusted