Unusual Linux Network Port Activity

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-03-25

About

Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.

Tags: Domain: EndpointOS: LinuxUse Case: Threat DetectionRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: A newly installed program or one that rarely uses the network could trigger this alert.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Linux Network Port Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).