The Internal Vertical Port Scan detection rule focuses on identifying instances where a host on the internal network attempts to connect to over 500 unique ports on a single destination IP address. This behavior is often indicative of scanning or reconnaissance activities, which may present potential threats to network security. To refine the detection process, the rule includes filtering to exclude port ranges typically associated with transient network traffic (ephemeral ports). The detection leverages AWS CloudWatch Logs, specifically VPC flow logs, to monitor network traffic and identify abnormal patterns. The rule collects data from the Network_Traffic data model, ensuring a comprehensive view of attempted connections over a specified time frame. Key statistics the rule captures include the total count of scanned ports and the count of privileged ports being targeted. The rule is designed to facilitate quick detection and response to possible security incidents, thereby enhancing overall network protection.