Prisma Cloud: Anomaly alert for "Traffic on unusual port to a server inside monitored accounts"

Prisma Cloud: Anomaly alert for "Traffic on unusual port to a server inside monitored accounts"

5899
Created On 07/31/23 15:50 PM - Last Modified 07/31/23 15:57 PM


Question


  • An Anomaly alert is generated for Policy "Traffic on unusual port to a server inside monitored accounts"
  • The traffic in Alert appears to be Syslog traffic and has never alerted on previously. Why this traffic is being alerted on ?

Environment


  • Prisma Cloud
  • Anomaly Policy

Answer


The traffic on unusual port to a server inside monitored accounts policy creates models for each virtual network in a cloud environment. Each model will contain the TCP or UDP ports used to run services in the corresponding virtual network, as observed in the last 28 days. When a new port is found, which is not in the model, it will be reported to the customer as an Alert. Once this happen, the new port becomes part of the model and no further Alerts will be generated (unless the policy doesn’t see activity on the port for more than 28 days).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XfsSCAS&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language