This detection rule leverages Elastic Security Query Language (ES|QL) to identify unusual activities associated with base64 encoding and decoding on Linux systems. Attackers often employ base64 encoding to obfuscate malicious payloads or command and control (C2) communications in an effort to bypass detection mechanisms. The rule examines process events that signify command execution, specifically looking for processes associated with base64 utilities or related scripting languages performing decoding activities. The criteria include monitoring for specific command line arguments indicating a decoding action, limiting observations to processes executed within the last hour, and those initiated by a single agent with low execution counts. Establishing the right Elastic Defend integration is essential for collecting the necessary data to effectively trigger this rule, which operates at a low severity level but highlights potential defense evasion tactics.