This detection rule identifies potentially malicious activity associated with Telegram Bots by monitoring DNS queries made to the Telegram Bot API endpoint, api.telegram.org. The intent is to catch unauthorized or suspicious interactions with the Telegram platform, which can serve as a command-and-control (C2) mechanism for various malware operations. Given the rise of attacks leveraging Telegram for communications, this rule addresses security concerns around the use of legitimate applications for malicious purposes. The rule is configured to trigger when there are any DNS queries to the specified domain, suggesting possible misuse of the platform within an organizational context. False positives may occur if legitimate internal services or employees are using Telegram Bots for valid reasons, necessitating careful evaluation of alerts. It is critical for security teams to ascertain the context of the activity logged by this detection rule to mitigate unnecessary disruptions due to legitimate uses.