This detection rule identifies potential subnet scanning activity originating from a compromised host. Subnet scanning is a common reconnaissance strategy used by attackers to map network topologies and identify vulnerable hosts, which may lead to further exploitation. The rule analyzes network connection attempts from a single host to a large number of distinct IP addresses within a short time span, specifically monitoring for instances of a host trying to connect to over 250 unique destinations within one hour. The detection is configured using Elastic's EQL (Event Query Language) within the Elastic Security environment, focusing on logs captured from the 'logs-endpoint.events.network-*' index. This rule specifically utilizes fields related to event actions and types, with filters in place to track 'connection_attempted' actions for Linux systems. In terms of deployment, the rule requires integration with Elastic Defend through the Elastic Agent, which must be properly set up via Fleet. The overall risk score assigned to this activity is low, indicating a lower immediate risk but still requiring attention for potential network reconnaissance and subsequent threats.