This rule is designed to detect Telnet connections from Linux systems to external network addresses (publicly routable IPs) to identify potential lateral movement or unauthorized data access attempts. Telnet, being a non-encrypted communication protocol, poses a security risk as adversaries may exploit it for unauthorized access or data exfiltration. The detection logic captures sequences of Telnet process initiation events followed by network connection events, ensuring that connections to designated non-internal IP ranges are flagged. The rule incorporates a list of exceptions for known reserved and private IP ranges to minimize false positives associated with legitimate internal connections. A risk score of 47 indicates a medium severity level for alerts generated by this rule, necessitating further investigation of flagged events.