This detection rule focuses on identifying potential API reconnaissance activities against Ollama servers by monitoring for unusual patterns of requests to various API endpoints. It specifically looks for traffic that includes a high number of requests (over 120) within a 5-minute window, particularly those that utilize HTTP HEAD methods to assess server responses or probe multiple endpoint paths. The underlying principle is that a systematic enumeration of API endpoints may indicate an attacker is attempting to discover hidden endpoints or vulnerabilities prior to a targeted attack. By tracking the origin of these requests and the responses received, security teams can better understand their API exposure and take necessary actions to fortify their defenses against potential threats.