This detection rule aims to identify instances when a TeamViewer session is initiated on a macOS host. TeamViewer is a remote access tool that can be exploited for unauthorized access. The detection mechanism focuses on the creation of processes and captures specific command line executions associated with TeamViewer. The rule looks for the parent process 'TeamViewer_Service' and the direct execution of the 'TeamViewer_Desktop' application with specific parameters, notably the '--IPCport' and '--Module' flags. In cases where an incoming connection is established, it is advised for investigators to cross-reference connection details with the 'incoming_connections.txt' log file found in the TeamViewer installation directory to verify the legitimacy of the connection. This rule addresses both potential malicious use of TeamViewer and allows for monitoring of legitimate business activities.