This rule detects the installation of Visual Studio Code Tunnel as a service on Windows systems, which can be indicative of a command-and-control (C2) operation by threat actors. The detection is based on monitoring process creation events and specifically looking for command line arguments associated with the setup of the code-tunnel service. By utilizing a combination of keywords such as 'tunnel', 'service', 'internal-run', and 'tunnel-service.log', the rule aims to effectively identify the execution of commands that would initiate this service. False positives may occur during legitimate installations of the code-tunnel service, necessitating additional context before confirming a malicious intent.