This detection rule monitors potential internal port scanning activities within a network. It identifies suspicious scanning behavior used by threat actors attempting to enumerate services on hosting systems after gaining unauthorized access. The rule activates when more than five specific critical ports are scanned by a single internal source IP within a minute, indicating possible reconnaissance efforts. The monitored ports include common services such as FTP, SSH, Telnet, SMTP, HTTP, and RDP. The logic leverages event codes associated with Windows network traffic and uses Splunk to analyze the logs. Key aspects of the rule include the filtering of legitimate traffic, such as that from the Splunk Universal Forwarder, to minimize false positives. The rule's significance lies in its ability to detect early signs of malicious intent, thereby enhancing the security posture by allowing for timely incident response.