forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlinux_nmap_activity.toml
More file actions
35 lines (32 loc) · 1.04 KB
/
linux_nmap_activity.toml
File metadata and controls
35 lines (32 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and
discover networks, and identify listening services and operating systems. It is sometimes used to gather information in
support of exploitation, execution or lateral movement.
"""
false_positives = [
"""
Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this
command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is
uncommon.
""",
]
index = ["auditbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Nmap Process Activity"
references = ["https://en.wikipedia.org/wiki/Nmap"]
risk_score = 21
rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
severity = "low"
tags = ["Elastic", "Linux"]
type = "query"
query = '''
process.name:nmap
'''