This detection rule identifies suspicious behavior exhibited by GenAI processes, specifically when these processes perform encoding or chunking operations (e.g., base64, gzip, tar, zip) immediately followed by outbound network activity. This sequence could indicate an attempt to exfiltrate sensitive data, as attackers often prepare sensitive data for transmission through encoding or compression to obfuscate its contents and evade detection mechanisms. The rule is triggered when involved processes are not characteristic of typical legitimate GenAI workflows, providing a signal for further investigation. The query utilizes a sequence to correlate process events with network connection attempts, focusing on known encoding tools and the GenAI parent processes to determine if the encoding activity may have malicious intent. Steps for investigation include evaluating the legitimacy of the GenAI tool, inspecting command-line arguments for data types, and assessing network destinations for any unauthorized connections. Additionally, the rule includes provisions for false positives, acknowledging that legitimate workflows might trigger detections and outlining steps for proper risk mitigation and response should a threat be confirmed.