This detection rule monitors the initiation of network scans using the Teleport platform, which can indicate enumeration activities on the network. The rule is triggered when a user invokes a scanning command, specifically using utilities like Nmap, which is commonly used for discovering hosts and services on a network. The rule checks the logs from Teleport Audit to identify if a user has executed a network scanning command with specific arguments that suggest discovery. Potential scanning behavior is assessed based on the provided command arguments and system-level events. If the command is executed without arguments or in a benign manner, it will not trigger an alert, reducing false positives. This detection is pegged with a medium severity and contributes to the defense against network reconnaissance activities that are precursors to attacks.