This detection rule identifies port scan activities on a network by leveraging data from web application firewall logs. Port scanning is a reconnaissance technique primarily used to discover open ports and services on a target system which can indicate potential vulnerabilities for exploitation. This rule specifically captures patterns associated with Nmap, a popular network scanning tool, by monitoring for suspicious HTTP requests characterized by URI paths that include 'Trinity.txt.bak' or RTSP protocol indicators. The logic uses Splunk syntax to analyze and bin logs over a specific timeframe, cross-referencing destination IP addresses and examining protocol types to classify and highlight potential port scanning behavior. It provides an enriched dataset through DNS lookups and geographical IP location data to assist in identifying the source of the scanning activity. This rule is particularly relevant for detecting malicious reconnaissance attempts, as well as legitimate security assessments performed by IT professionals.