ikiril01
commented
3 years ago @kp625544 we had a few more questions on this one:
It says the source is firewall logs and the destination is an internal IP, so I'm presuming you're looking for external to internal scans blocked by the firewall?
Also, what time range did you have in mind? If you're doing internal scan detection with passive network monitoring over a long enough timespan things like arbitrary port usage from protocols like RPC is going to cause a ton of false positives.
@kp625544 thanks!