The 'Internal Vulnerability Scan' analytic is designed to detect potential vulnerability scanning activities within an organization's internal network. It does this by monitoring Intrusion Detection System (IDS) logs for patterns that indicate excessive triggering of IDS signatures by internal hosts. Specifically, the detection looks for instances where a single internal host triggers more than 25 different IDS signatures or where a single IDS signature is triggered across more than 25 distinct destination IP addresses. Such activities often point to automated vulnerability scanners performing scans against the network, which could lead to the discovery of vulnerabilities that attackers may exploit. This detection rule enhances the security posture of the network by providing visibility into potentially malicious scanning activities, thereby allowing security teams to respond proactively to address vulnerabilities before they can be exploited. To implement this detection effectively, it requires the ingestion of IDS/IPS logs that conform to the Common Information Model (CIM), ensuring that relevant security telemetry is available for analysis.