Palo Alto Alert Details
Alert ID: PAN-THREAT-78945-ACTIVESCAN
Alert Time: 2024-02-08 09:15:22 EST
Severity: MEDIUM (65/100)
Source: Palo Alto Networks Threat Prevention Logs
Rule: “Reconnaissance – Port Scan Detected”
MITRE ATT&CK: T1595.001 – Active Scanning (Port Scan)
Alert Details:
Threat Type: Port Scan
Application: nmap / masscan
Direction: External to Internal
Source IP: 203.0.113.89 (DigitalOcean – Singapore)
Destination Range: Internal IP space (192.168.0.0/16)
Action: ALERT (not blocked due to scan detection policy)
Log Details:
– Time: 09:10 – 09:15 EST
– Packets: 12,847
– Source Ports: Random (1024-65535)
– Destination Ports scanned: 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5432,5900,8080,8443
– Scan Type: TCP SYN stealth scan
– Pattern: Sequential port scan across multiple hosts
Additional Context:
– Source IP 203.0.113.89 has no previous legitimate business connections
– Geolocation mismatch: Singapore IP scanning US-based corporate network
– Threat intelligence: IP associated with known scanning campaigns (Recorded Future score: 65/malicious)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify scan pattern, source IP reputation
Palo Alto Panorama, Recorded Future
Confirmed sequential port scan across /16 range
2. Source Analysis
Investigate attacker infrastructure
Shodan, GreyNoise, VirusTotal
IP part of known scanning botnet; hosting scanned same IPs at other companies
3. Impact Assessment
Check if any connections succeeded
Palo Alto Logs, Zeek
All connections dropped by firewall; no successful sessions
4. Internal Hunting
Check if any internal host responded
Splunk ES, Zeek conn.log
No successful connections; firewall blocked all
5. Containment
Block attacker IP and related ranges
Palo Alto (Dynamic Block List)
Added IP to external threat feed blocklist
6. Prevention
Update IPS signatures for scan detection
Palo Alto Threat Prevention
Enabled stricter scan detection policies
Jira Incident Report
Ticket: SOC-2024-040
Summary: T1595 – External Active Scanning Detected from Singapore-based IP
Status: RESOLVED
Resolution: RECONNAISSANCE – No Compromise
Priority: P3 – LOW
Labels: T1595, active-scanning, port-scan, reconnaissance, external-threat
Components: Network-Security, Threat-Intelligence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Threat Prevention logs.
Alert: “Reconnaissance – Port Scan Detected”.
Source IP: 203.0.113.89 (DigitalOcean, Singapore).
Time: 2024-02-08 09:10-09:15 EST.
Technique: MITRE ATT&CK T1595.001 – Active Scanning (port scan).
2. Technical Analysis:
Scan Details:
Tool: TCP SYN stealth scan (likely nmap or masscan).
Target: Internal network 192.168.0.0/16 (all internal subnets).
Ports Scanned: 22 common ports (SSH, HTTP, HTTPS, SMB, RDP, SQL, etc.).
Duration: 5 minutes.
Packets: 12,847.
Pattern: Sequential port scan across multiple hosts (horizontal sweep).
Source Analysis:
IP: 203.0.113.89 – DigitalOcean cloud hosting (Singapore).
Reputation: Recorded Future score 65/malicious; associated with scanning campaigns.
History: Same IP scanned 14 other companies in past 30 days.
GreyNoise: Classified as “internet background noise” – scanner.
Impact Assessment:
All scan traffic blocked by firewall ingress ACLs.
No successful connections established.
No data exfiltration.
No internal hosts compromised.
3. Investigation Findings:
Timeline:
09:10:15 – First scan packet detected (SYN to port 22, host 192.168.1.1)
09:12:30 – Scan pattern escalates to multiple hosts/ports
09:15:00 – Palo Alto threshold exceeded, alert generated
09:15:22 – SOC notified via Splunk correlation
09:20:00 – Source IP analysis initiated
09:30:00 – IP added to blocklist
Indicators of Compromise (IoCs):
Network:
– Source IP: 203.0.113.89
– Scan Pattern: TCP SYN to ports 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5432,5900,8080,8443
4. Containment Actions:
Immediate Containment:
Added source IP to Palo Alto dynamic block list.
Updated firewall policies to drop all traffic from IP.
Prevention:
Enabled stricter scan detection signatures.
Added IP to threat intelligence feed for all security tools.
5. Root Cause Analysis:
Primary Cause: External attacker conducting internet-wide reconnaissance.
Contributing Factors: None (attack was blocked at perimeter).
6. Business Impact: NONE – All traffic blocked.
7. Remediation & Prevention:
Completed Actions:
IP blocked at firewall.
Scan detection signatures updated.
Threat intelligence feed updated.
8. Conclusion:
This was an external reconnaissance scan targeting our network perimeter. All traffic was successfully blocked by firewall ingress policies. No compromise occurred.
Closure Rationale: No evidence of successful connections; attacker blocked.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 10:30 EST