Skip to main content


This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles external and internal scanning alerts.

Attacker's Goals:

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

Investigative Actions:

Investigate the scanner IP address using:

  • IP enrichment:
  • NGFW Internal Scan playbook
  • Endpoint Investigation Plan playbook
  • Entity enrichment

Response Actions

The playbook's response actions are based on the initial data provided within the alert. In that phase, the playbook will execute:

  • Automatically block IP address
  • Report IP address (If configured as true in the playbook inputs)

When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan playbook, is executed. This phase will execute the following containment actions:

  • Automatically isolate involved endpoint
  • Manual block indicators
  • Manual file quarantine
  • Manual disable user

External resources:

Mitre technique T1046 - Network Service Scanning

Port Scan


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Handle False Positive Alerts
  • NGFW Internal Scan
  • Block IP - Generic v3
  • Endpoint Investigation Plan
  • Containment Plan
  • Recovery Plan
  • Ticket Management - Generic


  • CoreIOCs
  • CortexCoreIR


  • SearchIncidentsV2


  • closeInvestigation
  • abuseipdb-report-ip
  • ip
  • send-mail
  • setParentIncidentFields

Playbook Inputs#

NameDescriptionDefault ValueRequired
scannerIPThe scanner IP address.alert.localipOptional
blockKnownScannerWhether to block the IP address based on previously seen scanning alerts.trueOptional
AutoCloseAlertWhether to close the alert automatically or manually, after an analyst's review.falseOptional
AutoRecoveryWhether to execute the Recovery playbook.falseOptional
SOCEmailAddressThe SOC email address.Optional
reportIPAddressWhether to report the IP address to AbuseIPDB.falseOptional
AutoContainmentWhether to execute automatically or manually the containment plan tasks:
* Block indicators
* Quarantine file
* Disable user
HostAutoContainmentWhether to execute endpoint isolation automatically or manually.falseOptional
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${}. Alert ID: ${}Optional
UserVerificationPossible values: True/False. Default: True.
Whether to provide user verification for blocking IP addresses.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#