---
title: Nmap Process Activity
description: Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening...
url: https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/linux_nmap_activity
products:
  - Elastic Security
---

# Nmap Process Activity
<warning>
  This rule has been deprecated as of 2021/04/15.
</warning>

Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and
discover networks, and identify listening services and operating systems. It is sometimes used to gather information in
support of exploitation, execution or lateral movement.
**Rule type**: query
**Rule indices**:
- auditbeat-*
- logs-endpoint.events.*

**Rule Severity**: low
**Risk Score**: 21
**Runs every**: 
**Searches indices from**: `now-9m`
**Maximum alerts per execution**: 100
**References**:
- [[https://en.wikipedia.org/wiki/Nmap](https://en.wikipedia.org/wiki/Nmap)](https://en.wikipedia.org/wiki/Nmap)

**Tags**:
- Elastic
- Host
- Linux
- Threat Detection

**Version**: 100
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Rule Query

```kuery
event.category:process and event.type:(start or process_started) and process.name:nmap
```