Skip to main content

Port Scan - External Source

This Playbook is part of the Port Scan Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook remediates port scans originating outside of the organization's network.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v3
  • Indicator Pivoting - DomainTools Iris
  • Calculate Severity - Generic v2
  • Domain Enrichment - Generic v2


  • DomainTools


  • SetAndHandleEmpty


  • reverseIP
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
BlockAttackerIPWhether attacking IPs should be automatically blocked using firewalls.FalseRequired
SourceExternalIPsThe external IP address(es) that initiated the port scan.Optional
BlockMaliciousDomainsIn the event that reverse IP lookup is performed, and a malicious domain is found, setting this to True will automatically block the malicious domains. If set to False, an analyst can manually block the domains.FalseRequired
DBotScoreAll the DBotScores that were calculated, either automatically by auto-reputation or using specific tasks, when the incident was ingested. This is used to calculate the incident severity at a later stage.DBotScoreOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Port Scan - External Source