This detection rule is designed to identify potential malicious activities related to SSH tunneling or port forwarding on Linux systems. Such activities can signify attempts by threat actors to exfiltrate data via encrypted channels or to establish covert communication by using SSH options that are typically utilized for tunneling. The rule leverages Elastic's EQL language to monitor process start events where the SSH command includes specific options linked to tunneling features, such as ProxyCommand or LocalForward. Events are captured from various data sources, particularly from Elastic Defend, CrowdStrike, and SentinelOne, ensuring comprehensive coverage of endpoint threats. A low-risk score of 21 indicates that while the behavior is suspicious, it may not be definitively malicious without further context. The rule is primarily aimed at security teams seeking to bolster defenses against command-and-control tactics employed by attackers to manipulate Linux systems.