Nmap Process Activity

Warning

This rule has been deprecated as of 2021/04/15.

Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.

Rule type: query
Rule indices:

auditbeat-*
logs-endpoint.events.*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

https://en.wikipedia.org/wiki/Nmap

Tags:

Elastic
Host
Linux
Threat Detection

Version: 100
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		event.category:process and event.type:(start or process_started) and process.name:nmap
		
	