This rule monitors for SSH X11 forwarding activities on Linux systems, a potential attack vector that allows attackers to run graphical applications remotely. X11 forwarding can be exploited for GUI-based attacks, establishing covert communication channels and enabling attackers to pivot through compromised systems. The detection is implemented using EQL syntax and focuses on the execution of SSH commands specifically using the '-X' or '-Y' flags, which are indicative of X11 forwarding configuration. The rule includes several Osquery queries that assist in investigating related suspicious activities, such as analyzing listening ports, checking open sockets, retrieving user information, and examining the parent process chain to look for malicious behavior. Various investigation and response strategies are outlined to handle alerts triggered by this rule, including isolating affected hosts, analyzing related user activity, and searching for additional malware. The rule is designed considering integration with multiple endpoint defense solutions, ensuring comprehensive coverage across environments.