This rule monitors for potential protocol tunneling activity using the Chisel server utility, which attackers may utilize to create covert communication channels and evade security measures. It is designed to detect a sequence of common command line arguments associated with Chisel followed by a connection event within a 1-minute timespan. The detection relies on specific EQL queries checking for process execution patterns typically utilized by Chisel combined with unusual accepted network connections, thereby identifying potential unauthorized access attempts through tunneling. The rule is set for monitoring events from the last 9 minutes and includes additional OSQUERY commands for investigative follow-up, allowing for comprehensive threat hunting and response.