This rule detects possibly malicious activity on macOS systems where an AppleScript execution (`osascript`) is followed by a network connection from the same process within a short time frame. Adversaries often utilize AppleScript to issue commands that can establish unauthorized connections for command and control (C2) purposes. This rule enables parsing of data from Elastic Defend integrated with Elastic Agent, focusing on the sequential relationship between the `osascript` process initiation and subsequent network activities that do not target local or reserved IP addresses. This context aids in identifying potentially harmful scripting behaviors and helps analysts ascertain the legitimacy of the network requests that may signal compromise. Investigative steps include examining process details, network connections, correlating related events, and assessing an account's legitimacy to understand the script's intent and potential impacts, while also addressing false positives that could arise from legitimate automation and system management tasks.