Prisma Cloud: Port scan activity (External) Policy Explanation
1446
Created On 01/04/23 19:37 PM - Last Modified 04/24/25 15:23 PM
Question
In this article, I plan to expand on the following questions:
- How does Prisma identify this activity?
- What log sources do you detect these activities from?
- What threat intel or source do you use to identify these activities from?
Environment
- Prisma Cloud
Answer
- How does Prisma identify this activity?
- Prisma identifies port scan attempts by inspecting the rejected inbound traffic to your cloud environment. A host outside your environment is scanning one of your cloud hosts. Port scans are a type of discovery attack where a source host is probing a target host across multiple ports, to find out what services are running and to uncover vulnerabilities associated with those services
- What log sources do you detect these activities from?
- Network Flow Logs
- What threat intel or source do you use to identify these activities from?
- This policy analyzes the network flow logs of a customer, searching for situations where a source host scans multiple ports on a single target host. Therefore, the policy focuses on cases where a single target is probed across multiple ports.
Additional Information
- The Port Scan Activity (External) policy is an Anomaly Policy and falls under Network Reconnaissance.
- For more information regarding Anomaly Policies, please see here.
- To view the relevant information of the alert, please navigate to the Alerts Overview page, and filter for alerts generated against the policy and get the details on what was identified as unusual or suspicious activity by selecting the specific alert.
- You may also run the following RQL in the investigate tab to further investigate: network from vpc.flow_record where source.ip = <public_ip_source> AND dest.ip = <private_ip_destination> AND traffic.type IN ( 'REJECTED' )