This EQL rule is designed to detect potentially malicious activities involving `MsBuild.exe`, a legitimate Windows tool for executing builds. Adversaries often exploit this tool to execute malicious code and evade security detection mechanisms. The rule looks for the execution of `MsBuild.exe` followed by an external network connection, suggesting potential malicious behavior. The detection mechanism employs a sequence query that captures instances where `MsBuild.exe` starts and subsequently attempts to establish an outbound connection to an external IP address. Throughout the detection process, it is critical to assess the legitimacy of the actions by reviewing suspicious behaviors, such as unexpected command-line arguments and the nature of the connected external domains. Suggested investigation steps include examining process execution chains, analyzing related network events, and looking for abnormal behavior in the host system, enabling a proactive approach to identify any security threats associated with the execution of this process.