This detection rule targets the execution of Python modules on Linux and macOS platforms, specifically monitoring command line activity. Adversaries often exploit Python for malicious purposes by executing scripts or modules that could facilitate unauthorized operations, which may include lateral movement or data exfiltration. The rule utilizes a regex pattern to identify command line executions related to Python modules, where parameters such as the module name and destination port are observed. By filtering events to those occurring in the last two hours and ensuring the proper platform, the rule seeks to detect potential unauthorized usage of Python, which aligns with the MITRE ATT&CK technique T1059, pertaining to command and scripting interpreter executions. The rule is particularly focused on Linux audit logs, indicating its application in environments where Python is prevalent. The relevant reference provides further details on atomic test procedures to verify the effectiveness of this detection logic.