The 'Internal Horizontal Port Scan' analytic is designed to detect potential reconnaissance or scanning activity within an organization's internal network by identifying instances where a host communicates with 250 or more distinct destination IP addresses using the same port and protocol. This behavior can indicate malicious intent such as an attacker probing the network for vulnerabilities or misconfigurations. By leveraging AWS CloudWatch Logs of VPC flow data, the rule analyzes network traffic to monitor and respond to such patterns, thereby enhancing network security. The detection logic aggregates traffic data, filtering on internal IP ranges and counting unique destination connections by port, and flags occurrences that exceed the threshold of 250 destination IPs. Organizations using this rule can quickly ascertain unusual activity and take appropriate action to mitigate potential threats.