This rule detects potential reconnaissance by monitoring AWS VPC Flow logs for port scanning behavior. It triggers when a single source address (srcAddr) communicates with 10 or more distinct destination ports (dstPort) targeting the same destination (dstAddr) within a 60-minute window, excluding a set of common ports (e.g., 80, 443, 53) to reduce noise. It operates on VPC flow data (egress only) and assumes the log fields srcAddr, dstAddr, srcPort, dstPort, flowDirection, vpcId, region, and subNetId. The detection is labeled as Network Service Scanning (MITRE ATT&CK TA0007:T1046) and is configured with a 60-minute dedup period to avoid alert storms. The rule is marked Experimental and Disabled by default, reflecting a cautious rollout to validate baseline noise and tuning in a live environment. The Runbook recommends sequencing data checks (e.g., full portsequence around the alert, cross-check srcAddr against known scanners, IT tooling, or threat intel feeds) and correlating with other alerts within the same vpcId over the past 7 days to identify ongoing reconnaissance. The provided tests illustrate expected behavior: egress to a non-common port from an internal or external source should trigger (true), egress to common ports or ingress flows should not (false), and malformed or non-viable sources (e.g., NULL, external/internal IP differences) influence the severity outcome. Overall, the rule aims to surface probing activity that could precede compromise, while reducing false positives by excluding widely-used legitimate ports and focusing on multi-port discovery patterns within a single hour.