Portscanning is not a crime
For those following along with ATT&CK this entry is about Network Service Scanning, Discovery technique T1046.
Time to get to detecting!
I think if you are looking for an adversary to hit more than 500 or a 1,000 ports then you are looking for the noisiest of attackers, especially if you are looking at internal network traffic, there's a better way. We need to look at the tools attackers use and try to think about what would be the most efficient way for them to get the information they need without lighting up your SIEM like a christmas tree.
Luckily nmap has a page dedicated to just this question, "What Are the Most Popular Ports?" and we can see that the top 20 TCP ports are:
Those are the ports with services that are interesting to attackers, if there is room to prioritise I think its right there.
Lets stop looking for people hitting a thousand ports, lets look for src addresses hitting ten or more of these top 20. If you want to test this SPL head on over and grab splunk's botsv1 which provides a good static dataset, hell grab botsv2 and botsv3 while you are at it.
index=botsv1 sourcetype=stream:tcp earliest=0| where dest_port IN ("21", "22", "23", "25", "53", "80", "110", "111", "135", "139", "143", "443", "445", "993", "995", "1723", "3306", "3389", "5900", "8080")| stats values(dest_port) AS d_ports dc(dest_port) AS Count by src dest| where Count >= 10| sort -Count
Here's what that search looks like in action: