This detection rule, created by Elastic, targets the Ollama LLM server's exposure to external IP addresses, which poses significant security threats due to the lack of authentication mechanisms. The default configuration of Ollama binds to localhost:11434, but the OLLAMA_HOST variable can inadvertently expose it to the internet. Attackers can exploit this exposure for unauthorized model access, prompt injection attacks, or resource hijacking. The rule utilizes an EQL query that monitors network events to identify connections accepted by Ollama from external sources. Investigation steps include checking the OLLAMA_HOST variable, analyzing source IP addresses, reviewing Ollama logs for suspicious activities, and assessing network traffic for potential data exfiltration. The rule also outlines possible false positives from misclassified networks and provides guidance for immediate remediation actions, such as restricting access and auditing downloaded models.