Unusual Linux Network Port Activity

Elastic Stack Serverless Security

Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-45m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• /reference/security/prebuilt-jobs.md

Tags:

• Elastic
• Host
• Linux
• Threat Detection
• ML

Version: 100

Rule authors:

• Elastic

Rule license: Elastic License v2