Elastic Security Detection Rules

Ollama API Accessed from External Network

Last updated 5 days ago on 2026-01-09
Created 5 days ago on 2026-01-09

About

Detects when the Ollama LLM server accepts connections from external IP addresses. Ollama lacks built-in authentication, so exposed instances allow unauthenticated model theft, prompt injection, and resource hijacking.
Tags
Domain: EndpointOS: LinuxOS: macOSOS: WindowsUse Case: Threat DetectionTactic: Initial AccessData Source: Elastic DefendDomain: LLMMitre Atlas: T0040Mitre Atlas: T0044Language: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.network-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
network where event.action == "connection_accepted" and
  process.name in ("ollama", "ollama.exe") and
  destination.port == 11434 and
  source.ip != null and source.ip != "0.0.0.0" and
  not cidrmatch(source.ip, 
    "10.0.0.0/8", 
    "127.0.0.0/8", 
    "169.254.0.0/16", 
    "172.16.0.0/12", 
    "192.168.0.0/16",
    "100.64.0.0/10",
    "::1",
    "fe80::/10",
    "fc00::/7",
    "ff00::/8"
  )

Install detection rules in Elastic Security

Detect Ollama API Accessed from External Network in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).