How to Investigate Prisma Cloud alert for “Unusual server port activity (Internal)”

How to Investigate Prisma Cloud alert for “Unusual server port activity (Internal)”

1179
Created On 10/07/22 14:28 PM - Last Modified 05/23/24 18:07 PM


Objective


The aim is to investigate anomaly policies further once an alert is triggered. Since these alerts are based on machine learning over a learning period that is programmed to notice any outliers. Thus why the investigate page button is greyed out. 

GUI Path: Alerts Overview > search Unusual port activity > click alert hyperlink > click alert IDScreen Shot 2022-10-07 at 4.11.00 PM.png

 

Environment


  • Prisma Cloud
  • Anomaly alerts 

Procedure


1. See Anomaly alert details 

GUI Path: Alerts Overview > search Unusual port activity > click alert hyperlink > click alert ID > click Anomaly Details
Screen Shot 2022-10-07 at 4.06.16 PM.png

You can use Network RQLs to investigate this port scan activity on the Investigate Page. Port Scan (Internal)

-- internal to internal scan 
network from vpc.flow_record where source.ip = <private_ip_source> AND dest.ip = <private_ip_destination> AND dest.resource IN (resource where virtualnetwork.name = '<vpc_name_destination>' ) AND traffic.type IN ( 'REJECTED' )
-- internal to external scan 
 network from vpc.flow_record where source.ip = <private_ip_source> AND dest.ip = <public_ip_destination> AND traffic.type IN ( 'REJECTED' )

Just customize your RQL to your environment.

Additional Information


View our documentation here on anomaly policies for more information. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZShCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail