Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
Rule type: machine_learning
Machine learning job: linux_rare_metadata_process
Machine learning anomaly threshold: 50
Risk score: 21
Runs every: 15 minutes
Maximum alerts per execution: 100
- Threat Detection
Version: 2 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.
- Version 2 (7.12.0 release)
- Formatting only