This detection rule identifies external port scanning activities leveraging Splunk by analyzing network traffic data. It specifically monitors traffic from external sources to private IP ranges (i.e., those designated for local networks such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.16.0/16) while excluding internal, loopback, and multicast addresses. The logic aggregates data across specified intervals (30 seconds) and checks for a significant number of ports (≥250) or unique destination IP addresses (≥250) accessed by the same source within the defined time frame. If either condition is met, the rule flags this activity as potentially indicative of port scanning behavior, which can be a precursor to more intrusive attacks. Additionally, it integrates DNS lookup and geolocation functionalities to enrich the alerts with the source's DNS information and geographic location, enhancing the contextual awareness for security analysts. The threat actor associated with this rule is Sandworm (UAC-0165), linking the detection with known malicious entities. This makes it a useful tool for monitoring and analyzing potential reconnaissance activities on the network.