The "Perl Outbound Network Connection" detection rule is aimed at identifying suspicious outbound network activity from Perl scripts executed on macOS systems. It focuses on connections to non-private IP addresses, which are uncommon for normal Perl usage on this operating system. Perl is frequently used by attackers as a legitimate runtime to establish command-and-control channels or download additional payloads over HTTP/S. The detection uses a sequence query in EQL that tracks the execution of Perl and any subsequent network connections it makes. Investigators are guided to analyze the process tree, review connectivity to external destinations, and correlate any related file activities to assess the legitimacy of the Perl execution. Potential legitimate use cases are considered but can lead to false positives if not contextualized properly. The rule stresses the importance of post-detection responses, including isolating affected systems, preserving evidence for forensic analysis, and implementing stricter controls to authenticate user behaviors associated with Perl execution.