This threshold rule is designed to detect rapid execution of common Unix utilities such as ping, netcat, and socat, which are frequently employed in network scanning activities by adversaries. These utilities can be misused to perform reconnaissance tasks like ping sweeps across a network, especially when other network mapping tools may be absent on a compromised machine. The rule focuses on process initiation events across the Linux operating system, alerting security teams when the execution of these utilities exceeds predefined thresholds, indicating potential malicious behavior. Specifically, it detects instances where these tools are executed multiple times in a short time frame (thresholds set in the rule), suggesting possible attempts to enumerate network devices or services for further exploitation. Investigative steps following an alert include confirming rapid execution through event data, assessing user account activity, and reviewing command arguments for further context. Proper setup depends on integration with Elastic Defend, ensuring the necessary data is gathered for accurate detection. The rule also includes guidance on triage, false positive management, and appropriate responses to confirmed alerts.