This rule is designed to detect DNS query requests targeting Visual Studio Code tunnel domains, specifically those queries that end with '.tunnels.api.visualstudio.com'. Such queries may indicate that an attacker is attempting to exploit the Visual Studio Code tunneling feature to establish a reverse shell or to gain persistence on a compromised machine. The detection mechanism relies on examining DNS query logs where any instance of the specified domain suffix is identified. The rule is set to medium severity, cautioning users of potential misuse while acknowledging that legitimate use of Visual Studio Code tunnels may lead to false positives. Therefore, it is essential for security teams to account for the context in which such DNS queries are made and be aware of normal operations within their environment. The rule supports the detection of command-and-control activities linked to the abuse of development tools for nefarious purposes.