diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
index 7520d59e1..0659815cb 100644
--- a/rules/network/discovery_potential_network_sweep_detected.toml
+++ b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/17"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/02/28"
+updated_date = "2026/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "threshold"
 query = '''
-event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
+event.action:(network_flow or flow_started) and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
 source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis
diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml
index 88779da13..872921d95 100644
--- a/rules/network/discovery_potential_port_scan_detected.toml
+++ b/rules/network/discovery_potential_port_scan_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/17"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/01/16"
+updated_date = "2026/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ type = "esql"
 query = '''
 from logs-network_traffic.*, packetbeat-*, logs-panw.panos*
 | mv_expand event.action
-| where event.action == "network_flow" and destination.port is not null and source.ip is not null and destination.ip is not null
+| where event.action in ("network_flow", "flow_started") and destination.port is not null and source.ip is not null and destination.ip is not null
 | eval Esql.time_window = DATE_TRUNC(1min, @timestamp)
 | where CIDR_MATCH(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
 | eval sensitive_port = case(destination.port IN (21, 22, 23, 53, 88, 139, 389, 445, 3389, 5900, 5985, 5986, 9389), true, false)
diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
index 4a1cd603b..42cfe232e 100644
--- a/rules/network/discovery_potential_syn_port_scan_detected.toml
+++ b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/17"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2025/02/28"
+updated_date = "2026/02/24"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "threshold"
 query = '''
-event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+event.action:(network_flow or flow_started) and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''
 note = """## Triage and analysis