This detection rule identifies the execution of known network scanning and reconnaissance tools on Linux systems. By monitoring process creation events, the rule flags instances where specific scanning tools, such as 'nmap', 'hping', and 'naabu', are invoked. Additionally, it filters out commands explicitly for network listening using the 'netcat' tool, as these represent legitimate administrative activities rather than potential threats. The detection mechanism relies on file paths of the executed processes to identify the tools in use. Recognizing these tools is crucial for network security as they may indicate pre-attack reconnaissance behavior by malicious actors, probing systems for vulnerabilities. Given the context, this rule can assist in identifying unauthorized or unexpected network discovery activities that may precede an attack.