event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and
event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
Install detection rules in Elastic Security
Detect Potential Network Scan Executed From Host in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).