This rule focuses on identifying command and control (C2) communications by correlating network events from Palo Alto Networks (PANW) with Elastic Defend network events. The detection method uses EQL (Event Query Language) to create a sequence of network events, looking specifically for patterns that may indicate malicious activity. The rule analyzes network logs from both PANW and Elastic endpoints to determine if there are any suspicious process communications. The correlation of these logs aims to highlight the source process responsible for the potential C2 behavior, providing security teams with actionable insights into possible breaches or unauthorized access scenarios. This detection rule is particularly relevant for organizations using Elastic security products alongside Palo Alto Networks to enhance their threat detection capabilities.