The "Potential Network Sweep Detected" rule is designed to identify potential reconnaissance activities within a network. Network sweeps are techniques used by attackers to scan an environment to detect active hosts, open ports, and available services, which may indicate vulnerabilities susceptible to exploitation. This rule uses a threshold logic approach, alerting on instances where a connection attempt originates from a single source IP address to 10 or more distinct destination hosts across specific commonly utilized network service ports (such as 21, 22, and 445). By examining network traffic logs, particularly from specified Elastic Beats indices, the rule enables detection of suspicious activity patterns that may indicate an attacker's reconnaissance phase, facilitating early alerting for potential security threats and encouraging further investigation by network security teams.