This detection rule identifies potential port scanning activities on the network. Port scans are techniques used by attackers to discover open ports and services running on those ports, which may expose vulnerabilities. The rule implements a threshold logic that triggers when there are connection attempts from one source IP to 20 or more destination ports, indicating suspicious behavior typically involved in reconnaissance activities. The rule operates by filtering events based on predefined source IP ranges within private address spaces (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the specific event action characterized as 'network_flow'. The associated investigation guidelines provide steps to validate alerts and remediate potential threats, such as isolating affected hosts and updating firewall rules. This rule is vital for early detection of potential threats, ensuring network security by alerting security teams to unauthorized scanning that could precede an attack. The severity is marked as low, allowing prioritization of alerts based on risk assessments.