This analytic provides detection capabilities for Snort intrusion signatures triggered by ten or more distinct internal IP addresses within a one-hour timeframe, identifying potential mass exploitation or broad targeting activities. The rule utilizes logs from Cisco Secure Firewall Threat Defense, focusing specifically on IntrusionEvent types. It highlights scenarios of opportunistic scanning, worm propagation, or automated exploitation of known vulnerabilities across multiple systems, which may indicate the early stages of a coordinated attack aiming to compromise multiple hosts or facilitate lateral movement within the network. The detection mechanism involves leveraging Splunk for log analysis, enabling real-time alerts for security incidents by counting the number of unique source IPs associated with specific signatures. False positives may arise from simultaneous scans but can be mitigated through configuration adjustments. This analytic is crucial for maintaining the integrity and security of network environments against evolving threats.