Ports

Purpose

This article provides users with an overview of Ports.

Introduction

This article offers an overview of Ports in the context of Informational findings. It assumes readers have basic access to the OUTSCAN™/HIAB account with an Appsec subscription, although the Ports view is accessible without it, albeit empty. The document details various aspects of ports, including their names, protocols, and associated assets, as well as functionalities for managing comments and statuses. Users can perform actions such as editing tags, marking false positives, and managing columns to customize their view of port-related information. Additionally, the document outlines the significance of the Comments tab for communication with the Outpost24® Appsec team.

Ports Overview

Requirements

It is assumed that the reader has basic access to the OUTSCAN™/HIAB account with Appsec subscription.

The Ports view is visible without an Appsec subscription, but the view will be empty.

Ports

In Findings > Informational > Ports, the ports that are linked to a specific asset are listed.

When clicking on a port, a details view is displayed on the right side of the window.

Details

The Details tab shows more information about the selected port.

This includes fields such as layer, protocol and port.

Ports

A list of all ports and information about them such as port name, port protocol and layer.

Asset

The affected asset, and by clicking the asset name you are redirected to the asset view for more information.

First seen

When the port was first discovered on the specific asset.

Last Seen

When the port was last seen on the specific asset.

Comments

The Comments tab enables you to post comments on ports, as well as sending messages to the Outpost24® Appsec team for review and response about the selected port.

Discussions about a finding are normally customer-internal. Only when eligible (via associated subscription) may a dialog between customer and the Outpost24 AppSec team be initiated.

Starting a Discussion

You can start a discussion about a finding:

Select a finding.
Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
Add a new comment and click the blue Start Discussion button.
To reply to a discussion, enter your reply on the Reply to conversation line and click the blue Reply button.

Starting a Discussion with the Outpost24 AppSec Team

You can start a discussion about the findings with the Outpost24 AppSec Team for review and response.

Select a finding.
Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
Toggle the Start a discussion with Outpost24 switch.

The Start a discussion with Outpost24 toggle is displayed if and when the underlying finding is eligible.

Add a new comment and click the blue Start Discussion button.
The comment is sent to the Outpost 24 AppSec team.
To reply to an ongoing discussion, enter your reply on the Reply to conversation line and click the blue Reply button.

When discussing with an Outpost 24 AppSec representative, the discussion card is marked clearly with a blue sign in the top left corner of the discussion card.

Deleting a Single Comment

To delete a comment in a discussion, click on the delete icon to the right. This removes the comment from the discussion.

The deleted comment is marked with the text "This message has been deleted".

You can only delete your own comments.

Deleting a Discussion Tree

To delete the entire discussion tree, click on the delete icon to the right on the first line in the card. This removes all conversation in the card.

The deleted discussion and all replies is marked with the text "This message has been deleted".

Removing the top discussion will remove all the following replies in that discussion recursively.

If no comment is given, a default message/comment stating “Transitioned information status from <original status> to <new status> without user's comment." is saved as a activity log to assist with the reviewing of the finding’s history.

The customer can also transition ports from other status like FALSE_POSITIVE or PRESENT.

Example:

Starting discussions with the Outpost24® Appsec team requires an active Appsec subscription.

To access existing comments, enable the comments column and click on the comment icon to quickly launch the comments window.

Manage Ports

Select one or more ports, and choose one of the actions that is displayed on the bottom bar:

Right-clicking a port or a selected group of ports opens a menu where the same tasks can be performed.

The possible user actions are:

Edit tags adds a tag to the selected port. See Tags for more information.
Mark as false positive marks a port as a false positive.
Unmark false positive reverts a port as a false positive.

Columns

By clicking the Column bar next to the Main Menu, you expand the column list available to Ports. Select any Column to view in the main window.

Select a specific column to know that information about a port. All selected columns are displayed in the Ports tab. The available options are described below.

Option	Format	Description
Age		Shows how old the vulnerability is in regards to when then it was first discovered in a scan.
Asset		Name of the asset associated to the finding. Could consist of among others: FQDN IP-address Agent ID Container image name
Asset group IDs		Group IDs attached to Asset that the Finding belongs to.
Asset ID		The unique identifier of the Asset the Finding belongs to.
Banner		The banner is an automatic message from the server when it gets a connection to a port.
Comments		Number of comments associated to the finding.
Created		When the finding object was first created. Counted from when a scan first resulted in this finding or when the Appsec team pushed it.
Created by		Who created it: System if it was from a scan Appsec team if they created it
Created by ID		ID of the account that created the port
Customer ID		ID of the customer
Encaps		Shows if the traffic is encapsulated (ssl/tls etc).
Encryption		Encryption supported by the encapsulation, see Encaps.
First scan ID		ID of the scanlog entry this finding was first found in.
First seen		Date shows when the finding was first discovered on a specific asset during recurring scans. When not found in a scan, the first seen date resets.
ID		Unique identifier of the finding.
Last scan ID		This is the last (latest) scan this finding was found in.
Last seen		Date shows when the finding was last seen on a specific asset. Checks if the finding is present in recurring scans. If it is not found in one scan, the last seen date resets.
Layer
Match IDs		Reference ID to the scanners raw data output that the finding is generated from and contains in depth information such as vhost, port, pattern, url, product versions, and so on.
Port		List of all ports
Ports		Displays ports the finding is found on. Hovering mouse on the port chip displays the port number and protocol as tool-tip. Number filter is applicable on the column.
Seen last scan		Boolean value that shows if the finding was detected during the last scan of the linked asset.
Service name
Source		Which source scanner or product type does the finding originate from.
Status		Indicates the different statuses for a finding. Can be marked as: False Positive - The scanner is finding a risk that has been marked by someone to be a false positive and is not supposed to pick up on. Present - (Default) Shows that a Finding is present after scanning
Tags		Displays the available tags associated with the finding.
Type	PORT	Type of information (Port)
Updated		Timestamp of when the finding was last updated at all for any reason, system- or user-initiated.
Updated by		Who did the last updating action, system, user, or AppSec team and so on.
Updated by ID		ID of the account that did the last updating cation