Port Scan

Port Scan
Analytics alert indicates that an endpoint is scanning remote endpoints for open privileged ports.


Every 10 minutes
21 days
14 days
1 day
Any of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs
  • Cisco firewall traffic logs
  • Fortinet firewall traffic logs
  • Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


An endpoint is scanning privileged endpoints (lower than 1024). The ports that the endpoint is scanning are infrequently used by other endpoints (destinations that are normally used by many other endpoints will not raise this alert). Also, the traffic is not related to FTP or DCE/RPC.
The scanning activity exceeds the baseline average number of port connections for endpoints of this type.

Attacker's Goals

An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions

  • New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
  • Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert.
  • Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.

Recommended For You