This rule is designed to detect potential SYN-based port scans, a reconnaissance technique used by attackers to identify open ports on target networks. By sending SYN packets to various destination ports and analyzing the responses, attackers can unveil systems that may be vulnerable for exploitation. This detection employs a threshold method, triggering alerts when a source host attempts to connect to ten or more destination ports using two or fewer packets per port. The rule utilizes data from various network logs (e.g., logs-endpoint.events.network, logs-network_traffic, packetbeat). Leveraging a combination of network traffic analysis and threat intelligence, it addresses the risk posed by these low-level scanning activities and aims to improve overall network security monitoring, enabling security teams to investigate potential reconnaissance activities effectively.