how can i detect Unusual Port Activity

I am trying to write a manual for the intern on how to deal with some threats, so what investigation steps code be done to detect Unusual Port Activity, what kind of logs could be found to ensure that there are unusual activities