This rule, authored by Elastic, is designed to detect potential port scanning activities indicative of a compromised host. Port scanning is a reconnaissance technique used by threat actors to discover open ports and services on target systems. The detection focuses on network connection attempts from a single host to a multitude of ports over a brief period, specifically looking for instances where an agent is connected to more than 100 unique ports. The rule leverages the Elastic Defend integration, which requires data from the Elastic Agent to function. Alerts are triggered for hosts running Linux operating systems and are based on network events recorded in Elastic Security. The rule has a low severity level and offers a risk score of 21, implying moderate threat potential. Additionally, it aligns with the MITRE ATT&CK framework, particularly the technique for Network Service Discovery (T1046) and the tactic classified under Discovery (TA0007). Recommended prerequisites include configuring Fleet Server for the Elastic Agent, ensuring efficient data reporting and monitoring of the endpoint events related to network activities.