Port Scan

The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports.

Synopsis

Every 10 minutes.
21 days.
14 days.
14 days.
Traffic logs or Traps endpoint data.
Discovery.

Description

An endpoint is scanning privileged endpoints (lower than 1024). The ports that the endpoint is scanning are infrequently used by other endpoints (destinations that are normally used by many other endpoints will not raise this alert). Also, the traffic is not related to FTP or DCE/RPC.
The scanning activity exceeds the baseline average number of port connections for endpoints of this type.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR – Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR – Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR – Analytics could raise a false alert.

Related Documentation