This detection rule identifies unusual SOCKS traffic originating from processes that may be attempting to act as proxies for malicious communications to command and control (C2) servers. By correlating events from FortiGate's application control logs with Elastic Defend network data, the rule targets suspicious activities that signify adversaries leveraging proxies for stealthy data transmission to avoid detection. The EQL query is designed to track network events involving SOCKS protocols and associated endpoint actions, helping security teams uncover potential threats. Key investigation steps involve analyzing the originating process, its parent process, and related network connections, while consideration for false positives includes benign proxies like browser extensions or trusted development tools. Immediate response actions are recommended for any identified threats, including isolating the affected systems and reviewing credentials and configurations.