This detection rule aims to identify suspicious network communication patterns by non-browser applications with the Telegram API, potentially indicative of covert command-and-control (C2) activities. The rule filters out known browsers like Chrome, Firefox, Edge, and others to focus only on non-browser processes. The detection logic specifies that any process attempting to connect to 'api.telegram.org'—which should generally be accessed by web browsers—triggers an alert if the connecting process is not among the excluded browsers. False positives may occur with legitimate applications that may use the Telegram API for valid reasons, but they can be identified through the context of the environment. The detection is crucial in environments where the presence of unauthorized C2 communications can pose a significant risk.