This detection rule monitors the execution of the TeamViewer application on a Linux host, specifically targeting the initiation of remote sessions. The rule analyzes process creation events to identify when TeamViewer's remote desktop functionality is executed. Key indicators involve checking if the process originates from the TeamViewer service and the command line used to start the desktop client. When a remote connection is initiated, details can be further investigated by examining the "incoming_connections.txt" log file in the TeamViewer installation directory. Given that TeamViewer is a legitimate remote access tool, this detection is aimed at identifying potential unauthorized access instances while noting that it may also trigger false positives from valid use cases like remote support sessions.