This detection rule monitors for suspicious activity related to the OpenSSL client and server on Linux endpoints. It aims to identify when OpenSSL is invoked to establish secure connections, which can be indicative of data exfiltration or the creation of command and control channels by malicious actors. The rule utilizes Elastic's query language (EQL) to look for specific process execution patterns associated with OpenSSL, particularly focusing on client connections and server setups that may correlate with nefarious intents. Exclusions are applied for known benign processes to reduce false positives. A series of investigation and response steps are provided to handle any identified threats effectively.