This detection rule targets potential reverse shell activities executed via terminal commands. Reverse shells are tactics used by attackers to gain remote access to a system, and they often use command-line shell applications for execution. The rule is designed to detect suspicious process executions with specific arguments that may indicate an outgoing connection to an external entity. The rule analyzes process names and command-line arguments filtered through Elastic's EQL (Event Query Language). It requires monitoring of the 'auditbeat' and 'logs-endpoint' indices, and it generates alerts based on specified criteria including the presence of certain command patterns and process names. False positives are expected to be rare as legitimate usage under these criteria is uncommon. Investigation steps are outlined to trace back the target domain or IP, assess abnormal behavior of the involved processes or accounts, and to initiate incident response actions, effectively isolating potentially compromised hosts and mitigating further risks.