Nping Process Activity | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« Nmap Process Activity PPTP (Point to Point Tunneling Protocol) Activity »

Nping Process Activityedit

Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.

Rule type: query

Rule indices:

auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://en.wikipedia.org/wiki/Nmap

Tags:

Elastic
Linux

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positivesedit

Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of Nping by non-engineers or ordinary users is uncommon.

Rule queryedit

process.name:nping and event.action:executed

Rule version historyedit

Version 2 (7.7.0 release)

Updated query, changed from:

process.name: nping and event.action:executed

« Nmap Process Activity PPTP (Point to Point Tunneling Protocol) Activity »