This detection rule aims to identify unauthorized attempts to establish remote tunnel sessions using the Visual Studio Code (VScode) application on Windows systems. The rule focuses on the execution of the VScode portable binary with specific command-line arguments that indicate an attempt to connect to either GitHub or a remote VScode instance. It monitors processes where the arguments include 'tunnel' and checks for additional flags that suggest legitimate usage. The rule is designed to flag instances where the behavior may indicate malicious activity related to Command and Control (C2) attacks, helping security teams identify potential threats while allowing for exceptions for known legitimate usage scenarios. In terms of investigation and response, the rule provides guidance on validating suspicious activity, correlating with other security alerts, and ensuring prompt remediation of potential threats.