This rule detects potential command and control (C2) behavior on Linux endpoints by monitoring for the execution of the curl or wget commands with arguments that include the api.telegram.org domain. The usage of these specific commands and the target domain may indicate that a compromised system is attempting to establish a connection with a remote server for malicious purposes. The detection logic is implemented using EQL (Event Query Language) to filter for process events where the command line includes references to api.telegram.org. The rule tags the behavior as low severity and is associated with the MITRE ATT&CK framework under the Command and Control tactic (TA0011) and its relevant technique (T1071) related to Application Layer Protocols, specifically Web Protocols (T1071.001). To ensure this rule functions correctly, the Elastic Defend integration must be set up properly on Linux systems, including configuration for environment variable capture to capture the necessary context for analysis.