Under Event Groups, look at Network Audit Alerts. There's source/destination port fields. I'd expect the search to return specific event classes (like TCPTrafficAudit or IPTrafficAudit), and then you could build a rule to look for those events with the right characteristics for alerts.
↧