SOPHOS INTERCEPT X - PORT SCAN DETECTION

I do not believe Intercept X is currently configured to detect local port scans. In theory, it's possible that the IPS engine (in early access) might be able to detect scans. However, I don't know that SophosLabs has prioritized this over more urgent network protection like lateral movement of malware or command & control traffic.

If you have XDR (or better yet, MDR), with your Data Lake Uploads enabled, it will appear as a Detection item and be available.

As for Intercept X Advanced reporting a port scan occuring, it wont. However, if malicious behavior towards a machine over the network occurs, the MTD and IPS components will trigger, but that would not be the same as a port scan.

I can confirm the same: I don't see any detections either when port scanning, even with XDR on both endpoints (server and workstation). We have Intercept X advanced XDR with data lake uploads for both server and computer but we don't have Sophos Firewall. Maybe the detection is generated only with the 'detect malicious network traffic' setting active, which can only be set when enabling EAP?

I would love to know this as well, because a sudden port scan could be a tell tale sign of impending attacks, and it's best to know something is going on early.

I can mention it to SophosLabs. I guess the use case would be an insider running a port scan on the office network? I believe PUA and/or Application Control can already block use of common port scanning tools like nmap.

What if someone is scanning the network from a device that doesn't have Sophos installed? Being able to detect this from the network perspective is important. This is a capability other solution offer as well.