This rule re-raises Upwind network detections within Panther, focusing on network-based anomalies such as port scans, DoS activity, DNS anomalies, DNS-over-HTTPS abuse, and other unusual network behavior detected by Upwind. It operates by querying Upwind.Detections for network detections related to the same resource.name within the last 24 hours to determine if the event is isolated or part of a sustained pattern. It then correlates external exposure data (resource.internet_exposure.ingress.active_communication) with cloud network flow logs for the resource’s region and cloud_account_id to identify potential external actors. The rule also checks for other HIGH or CRITICAL alerts from the same cloud_account_id in the prior 7 days to assess broader threat activity. It is Enabled and currently marked as Experimental, with a Medium severity. Deduplication is 720 minutes and the threshold is 1, meaning a single relevant Upwind detection can trigger an alert. The rule maps to MITRE ATT&CK TA0007: T1046 (Network Service Discovery). Tests include a High Network Detection scenario showing internal port scanning from a pod, including associated resource metadata (cloud_account_id, region, ingress exposure) and an Upwind detection entry. It references Upwind’s threat-detection API for context and is intended to surface actionable network threat signals from Upwind within Kubernetes/cloud environments.