Palo Alto Alert Details
Alert ID: PAN-THREAT-78945-ACTIVESCAN
Alert Time: 2024-02-08 09:15:22 EST
Severity: MEDIUM (65/100)
Source: Palo Alto Networks Threat Prevention Logs
Rule: “Reconnaissance – Port Scan Detected”
MITRE ATT&CK: T1595.001 – Active Scanning (Port Scan)
Alert Details:
Threat Type: Port Scan
Application: nmap / masscan
Direction: External to Internal
Source IP: 203.0.113.89 (DigitalOcean – Singapore)
Destination Range: Internal IP space (192.168.0.0/16)
Action: ALERT (not blocked due to scan detection policy)
Log Details:
– Time: 09:10 – 09:15 EST
– Packets: 12,847
– Source Ports: Random (1024-65535)
– Destination Ports scanned: 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5432,5900,8080,8443
– Scan Type: TCP SYN stealth scan
– Pattern: Sequential port scan across multiple hosts
Additional Context:
– Source IP 203.0.113.89 has no previous legitimate business connections
– Geolocation mismatch: Singapore IP scanning US-based corporate network
– Threat intelligence: IP associated with known scanning campaigns (Recorded Future score: 65/malicious)
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify scan pattern, source IP reputation | Palo Alto Panorama, Recorded Future | Confirmed sequential port scan across /16 range |
| 2. Source Analysis | Investigate attacker infrastructure | Shodan, GreyNoise, VirusTotal | IP part of known scanning botnet; hosting scanned same IPs at other companies |
| 3. Impact Assessment | Check if any connections succeeded | Palo Alto Logs, Zeek | All connections dropped by firewall; no successful sessions |
| 4. Internal Hunting | Check if any internal host responded | Splunk ES, Zeek conn.log | No successful connections; firewall blocked all |
| 5. Containment | Block attacker IP and related ranges | Palo Alto (Dynamic Block List) | Added IP to external threat feed blocklist |
| 6. Prevention | Update IPS signatures for scan detection | Palo Alto Threat Prevention | Enabled stricter scan detection policies |
Jira Incident Report
Ticket: SOC-2024-040
Summary: T1595 – External Active Scanning Detected from Singapore-based IP
Status: RESOLVED
Resolution: RECONNAISSANCE – No Compromise
Priority: P3 – LOW
Labels: T1595, active-scanning, port-scan, reconnaissance, external-threat
Components: Network-Security, Threat-Intelligence
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Palo Alto Networks Threat Prevention logs.
- Alert: “Reconnaissance – Port Scan Detected”.
- Source IP: 203.0.113.89 (DigitalOcean, Singapore).
- Time: 2024-02-08 09:10-09:15 EST.
- Technique: MITRE ATT&CK T1595.001 – Active Scanning (port scan).
2. Technical Analysis:
- Scan Details:
- Tool: TCP SYN stealth scan (likely nmap or masscan).
- Target: Internal network 192.168.0.0/16 (all internal subnets).
- Ports Scanned: 22 common ports (SSH, HTTP, HTTPS, SMB, RDP, SQL, etc.).
- Duration: 5 minutes.
- Packets: 12,847.
- Pattern: Sequential port scan across multiple hosts (horizontal sweep).
- Source Analysis:
- IP: 203.0.113.89 – DigitalOcean cloud hosting (Singapore).
- Reputation: Recorded Future score 65/malicious; associated with scanning campaigns.
- History: Same IP scanned 14 other companies in past 30 days.
- GreyNoise: Classified as “internet background noise” – scanner.
- Impact Assessment:
- All scan traffic blocked by firewall ingress ACLs.
- No successful connections established.
- No data exfiltration.
- No internal hosts compromised.
3. Investigation Findings:
- Timeline:
09:10:15 – First scan packet detected (SYN to port 22, host 192.168.1.1)
09:12:30 – Scan pattern escalates to multiple hosts/ports
09:15:00 – Palo Alto threshold exceeded, alert generated
09:15:22 – SOC notified via Splunk correlation
09:20:00 – Source IP analysis initiated
09:30:00 – IP added to blocklist
- Indicators of Compromise (IoCs):
Network:
– Source IP: 203.0.113.89
– Scan Pattern: TCP SYN to ports 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5432,5900,8080,8443
4. Containment Actions:
- Immediate Containment:
- Added source IP to Palo Alto dynamic block list.
- Updated firewall policies to drop all traffic from IP.
- Prevention:
- Enabled stricter scan detection signatures.
- Added IP to threat intelligence feed for all security tools.
5. Root Cause Analysis:
- Primary Cause: External attacker conducting internet-wide reconnaissance.
- Contributing Factors: None (attack was blocked at perimeter).
6. Business Impact: NONE – All traffic blocked.
7. Remediation & Prevention:
Completed Actions:
IP blocked at firewall.
Scan detection signatures updated.
Threat intelligence feed updated.
8. Conclusion:
This was an external reconnaissance scan targeting our network perimeter. All traffic was successfully blocked by firewall ingress policies. No compromise occurred.
Closure Rationale: No evidence of successful connections; attacker blocked.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 10:30 EST