Internet-Security.com TCP port 9200 details

Elasticsearch uses TCP port 9200 as its default HTTP/REST API endpoint.
In real deployments, Kibana, Logstash, Beats, and APM Server communicate with Elasticsearch on 9200.
OpenSearch (the community fork of Elasticsearch) also exposes its REST API on 9200, with OpenSearch Dashboards and apps connecting to it by default in self-hosted setups.
Software that relies on Elasticsearch/OpenSearch often talks to 9200, for example Graylog and Wazuh managers indexing and querying data, and GitLab’s Elasticsearch integration when self-managed.
Some managed offerings proxy this over 443, but their backing nodes typically still use 9200 internally.
Port 9200 has been associated with hacking and exploitation: internet-exposed Elasticsearch/OpenSearch endpoints have been hit by unauthenticated data wipes and ransom/extortion campaigns (notably 2017), cryptomining deployments, and remote code execution bugs such as CVE-2015-1427 when scripting was enabled.

TCP 9200