Unusual Linux Network Serviceedit

Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.

Rule type: machine_learning

Machine learning job: linux_anomalous_network_service

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100



  • Elastic
  • Linux
  • ML

Version: 1

Added (Elastic Stack release): 7.7.0

Potential false positivesedit

A newly installed program or one that rarely uses the network could trigger this signal.