The detection rule 'Unexpected Network Connection from System Process' is designed to identify when non-networking system processes initiate network connections, which could indicate malicious activity such as command and control (C2) communications or data exfiltration. Threat actors often exploit trusted system processes, leveraging their authority to avoid detection mechanisms. The rule specifically monitors processes typically not associated with network activity, including conhost.exe, lsass.exe, wininit.exe, and others. By analyzing Windows event logs and assessing EventCode 5156, the rule captures relevant network activity from these processes, providing insights into potential security threats. The goal is to highlight unusual behavior that falls outside the norm of expected system process functionality, strengthening the defense against evasive tactics employed by attackers. This rule employs Splunk to gather endpoint data, organize it by relevant attributes, and flag suspicious activity for further investigation.