[Rule Tuning] Potential Port Scanning Activity from Compromised Host (#5161)

* [Rule Tuning] Potential Port Scanning Activity from Compromised Host

* Update rules/linux/discovery_port_scanning_activity_from_compromised_host.toml

* Update port scanning detection query

Refine query to include source IP and limit destination port range.

* Update discovery_port_scanning_activity_from_compromised_host.toml

* Update query in discovery port scanning rule

* Update discovery_port_scanning_activity_from_compromised_host.toml

Author: Aegrah

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/09/29"
 
 [rule]
 author = ["Elastic"]
@@ -100,6 +100,8 @@ from logs-endpoint.events.network-*
     host.os.type == "linux" and
     event.type == "start" and
     event.action == "connection_attempted" and
+    network.direction  == "egress" and
+    destination.port < 32768 and
     not (
       cidr_match(destination.ip, "127.0.0.0/8", "::1", "FE80::/10", "FF00::/8") or
       process.executable in (
@@ -122,14 +124,16 @@ from logs-endpoint.events.network-*
     destination.port,
     process.executable,
     destination.ip,
+    source.ip,
     agent.id,
     host.name
 | stats
     Esql.event_count = count(),
     Esql.destination_port_count_distinct = count_distinct(destination.port),
     Esql.agent_id_count_distinct = count_distinct(agent.id),
     Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.source_ip_values = values(source.ip)
     by process.executable, destination.ip
 | where
     Esql.agent_id_count_distinct == 1 and