GEN:SID 1:1917
Message SCAN UPnP service discover attempt
Summary This event is generated when a scan is detected.
Impact Information gathering.
Detailed Information This event indicates that an attempt has been made to scan a host.

This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
Affected Systems Any host.
Attack Scenarios An attacker may determine if UPnP is enabled on a host and then attempt
to exploit a known vulnerability in the service.
Ease of Attack Simple.
Corrective Action Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.

Check the host for signs of compromise.
Additional References