Unusual Linux Network Service | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« Unusual Linux Network Port Activity Unusual Linux Username »

Unusual Linux Network Serviceedit

Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, or persistence mechanisms.

Rule type: machine_learning

Machine learning job: linux_anomalous_network_service

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html

Tags:

Elastic
Linux
ML

Version: 1

Added (Elastic Stack release): 7.7.0

Potential false positivesedit

A newly installed program or one that rarely uses the network could trigger this signal.

« Unusual Linux Network Port Activity Unusual Linux Username »