Skip to main content

Port Scan - External Source

This Playbook is part of the Port Scan Pack.#

This playbook remediates port scans originating outside of the organization's network.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v2
  • PAN-OS - Block Domain - External Dynamic List
  • Domain Enrichment - Generic v2
  • Indicator Pivoting - DomainTools Iris
  • Calculate Severity - Generic v2


  • DomainTools
  • Builtin


  • SetAndHandleEmpty


  • reverseIP
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
BlockAttackerIPWhether attacking IPs should be automatically blocked using firewalls.FalseRequired
SourceExternalIPsThe external IP address(es) that initiated the port scan.Optional
BlockMaliciousDomainsIn the event that reverse IP lookup is performed, and a malicious domain is found, setting this to True will automatically block the malicious domains. If set to False, an analyst can manually block the domains.FalseRequired
DBotScoreAll the DBotScores that were calculated, either automatically by auto-reputation or using specific tasks, when the incident was ingested. This is used to calculate the incident severity at a later stage.NoneDBotScoreOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Playbook Image