Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
Rule type: machine_learning
Machine learning job: linux_rare_metadata_process
Machine learning anomaly threshold: 50
Risk score: 21
Runs every: 15 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.