The 'Unusual Network Connection via DllHost' detection rule identifies potentially malicious activity involving the legitimate Windows process dllhost.exe. This rule is designed to monitor for outbound network connections initiated by dllhost.exe that deviate from expected behavior, suggesting possible adversarial command and control activity. Specifically, it captures instances where dllhost.exe makes network connections to non-local IP addresses, which could indicate a threat actor using this process for stealthy communication. The rule utilizes EQL (Event Query Language) to establish a sequence of events involving process starts and network calls, filtering out known safe ranges of IP addresses to focus on suspicious activity. The risk score assigned is 47, indicating a medium level of threat, and the maturity of this rule is in production, ensuring that organizations can effectively detect such attempts. An investigation guide is provided to help security teams assess alerts, including steps for verifying the legitimacy of the process and analyzing the traffic associated with it.