Custom Alerts for Internal Network Scans

Hi, I’d like to create some custom detection rules in order to detect internal network scans. I wanna utilize the firewall logs for that. Something like one source IP that connected to more than 100 systems in less than 5 minutes or a source IP that connect to a lot of systems via a specific port (445, 22, 21). Has anyone some log search queries that I could use as a template for this? Or do you have any other ideas in order to detect internal scans by using firewall logs?