This detection rule is aimed at identifying potentially malicious activity on *nix systems by observing processes that are classified as hidden executables. Specifically, the rule triggers when a process name starts with a dot (.) indicating that it is hidden, and it is supplied with a command line argument that contains an IP address. Such behavior is typically indicative of evasion tactics employed by attackers attempting to avoid detection or exfiltrate data. The rule utilizes a search expression designed for Splunk, filtering endpoint data through specific matches on process paths and command line arguments. The detection logic looks for processes whose path conforms to the hidden file pattern and checks for the presence of a valid IP address format in the command line arguments. If any matches are found, the events are logged alongside relevant contextual information like timestamp, host, user, and process details, facilitating further analysis and response actions.