This detection rule is designed to identify potentially compromised Linux hosts that exhibit behavior indicative of malware-driven brute force attacks against external systems over SSH. By analyzing outbound connection attempts to non-private IP addresses from a single host or process, the rule aims to flag any unusual or excessive activity that could suggest infection or control by an attacker. Specifically, it focuses on established SSH ports (22 and known alternatives) and monitors connection attempts over the specified time frame. If a particular process initiates more than 15 connection attempts to different external IP addresses within an hour, it raises an alert, pointing towards a possible botnet activity, unauthorized access attempts, or other malicious exploitation of the host. Moreover, the setup requirements entail integration with Elastic Defend, ensuring effective data collection for monitoring and incident response.