This detection rule identifies when a network connection to a Visual Studio Code tunnel domain is initiated by a process on a Windows system. The use of Visual Studio Code tunnels allows developers to securely access their local development environments remotely. However, this feature can be misused by attackers to create reverse shells, exfiltrate data, or establish persistence on compromised machines. The rule focuses on detecting connections to domains that end with '.tunnels.api.visualstudio.com', indicating the possibility of unauthorized or malicious activity stemming from legitimate use of the development tool. This heightened attention to network connections to such domains is essential to safeguard systems against potential exploitation. The rule provides insights into possible exfiltration scenarios, aligning with known tactics such as T1567.001 (Exfiltration Over Alternative Protocol), adding context to the severity of the detected connection.