This detection rule aims to identify suspicious process executions involving the Telegram API through command-line usage based on data collected from Endpoint Detection and Response (EDR) agents. It primarily analyzes logs from Sysmon and Windows Event Logs to detect instances of the process associated with the URL 'api.telegram.org'. The presence of this API in the command line may indicate possible exfiltration of sensitive data or be used as a command and control (C2) channel by malware or attackers, further compromising the targeted network. Implementation requires ingestion of complete process execution logs, specifically capturing command-line arguments, and compliance with the Splunk CIM for effective data integration and analysis. False positives may arise from legitimate uses of the Telegram API by users or applications, necessitating careful investigation of matches.