This rule monitors unusual Linux network connection discovery activities initiated by atypical user accounts, which may indicate account compromise or unauthorized network probing. It leverages machine learning to analyze command executions against a threshold to identify patterns that deviate from the norm. The rule operates within a timeframe of 45 minutes and alerts on anomalies every 15 minutes. False positives could arise from legitimate system administrator actions, automated scripts, or troubleshooting activities. The rule necessitates the setup of relevant integrations, specifically Elastic Defend and Auditd Manager, to capture the required data effectively. Additionally, it is structured to assist users in understanding and mitigating security events surrounding network discovery, offering a guide for investigation and response processes.