This detection rule, authored by Elastic, monitors for abnormal outbound network connection attempts made by processes running as the root user in a Linux environment. Specifically, it analyzes the sequence of network events and waits for a change in session ID, which indicates the possibility of reverse shell activity. The rule uses EQL (Event Query Language) to look for a sequence where a network connection attempt occurs, followed shortly by the same process changing its session ID. Default and known SSH-related executables are excluded from detection to reduce false positives. Given the potential for misuse of root privileges, a high risk associated with unauthorized outbound connections necessitates close scrutiny. If triggered, it is important to investigate the context of the outbound connection and any processes involved in order to assess whether they represent a genuine threat or legitimate behavior.