This detection rule identifies potential traffic tunneling executed through the QEMU hardware emulator, which is often used for malicious purposes to route network packets covertly between virtual machines. By analyzing process creation events in relation to specific command line arguments associated with QEMU, the rule alerts when suspicious activity is detected that may signal an attempt to forward ports or establish covert communication channels over the network. The rule employs EQL (Elastic Query Language) to pinpoint instances where QEMU is initiated with specific networking arguments indicative of potential tunneling behavior. Detailed investigation steps are provided, guiding the analyst through the verification of legitimate usage and potential misuse related to QEMU.