From 58b0d8e5534f62bfc51f8de8ca370dc1b8699e69 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Fri, 16 Jan 2026 23:21:12 -0300
Subject: [PATCH] Update discovery_potential_port_scan_detected.toml (#5571)

---
 rules/network/discovery_potential_port_scan_detected.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml
index 5c9266ece..88779da13 100644
--- a/rules/network/discovery_potential_port_scan_detected.toml
+++ b/rules/network/discovery_potential_port_scan_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/17"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/01/16"
 
 [rule]
 author = ["Elastic"]
@@ -46,7 +46,7 @@ from logs-network_traffic.*, packetbeat-*, logs-panw.panos*
     Esql.values_destination_ports = VALUES(destination.port),
     Esql.values_sensitive_ports = VALUES(destination.port) where sensitive_port == true
   by Esql.time_window, destination.ip, source.ip
-| where (Esql.count_distinct_destination_ports >= 50 or Esql.values_sensitive_ports >= 5)
+| where (Esql.count_distinct_destination_ports >= 50 or Esql.count_distinct_sensitive_ports >= 5)
 | keep source.ip, destination.ip, Esql.*
 '''
 note = """## Triage and analysis