Nping Process Activityedit

Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100



  • Elastic
  • Linux

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positivesedit

Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of Nping by non-engineers or ordinary users is uncommon.

Rule queryedit and event.action:executed

Rule version historyedit

Version 2 (7.7.0 release)

Updated query, changed from: nping and event.action:executed