Port State Changes
The Port State Changes page tracks port state transitions between consecutive scans. When a port changes from open to closed (or vice versa), a state change record is created. This is a core GRC feature for compliance tracking, providing evidence of network changes over time for SOC2 and ISO 27001 reporting.
Fields & Columns
| Name | Description |
|---|---|
| Time | Timestamp when the state change was detected |
| IP | IP address of the host where the port state changed |
| Port | Port number that changed state |
| Protocol | Transport protocol (TCP or UDP) |
| Previous State | Port state before the change (open, closed, or filtered) |
| Current State | Port state after the change (open, closed, or filtered) |
| Service | Detected service running on the port, if identified |
| Version | Detected service version, if identified |
| Scan | Name of the scan that detected the state change |
How To
Track port state changes for compliance
- Navigate to Audit > Port State Changes.
- Filter by subnet or port range.
- Review opened and closed port events.
- Export the filtered view for compliance documentation.
Gotchas
- State changes are stored in TimescaleDB for efficient time-series queries and automatic compression.
- Scanner groups scanning from different vantage points may report different states for the same port, since network path or firewall rules may differ per location.
- A port transitioning from "filtered" to "closed" or vice versa may indicate firewall rule changes rather than service changes.
- State changes are only detected between consecutive scans of the same target. A port must have been seen in a prior scan to generate a change record.
API Calls (1)
| Method | Path | Description |
|---|---|---|
| GET | /api/audit/states | List port state changes with filtering |