This rule detects suspicious behavior involving the GNU Debugger (GDB) when it's executed with the CAP_SYS_PTRACE capability and subsequently initiates an outbound network connection by a user with UID/GID 0 (root). The CAP_SYS_PTRACE capability allows a process to trace and control other processes, which can be exploited by attackers to inject malicious code into processes running with elevated privileges. The rule captures the execution sequence where GDB is used alongside a root-initiated network connection, indicating potential attacks that aim for privilege escalation or command and control (C2) capabilities. In the outlined EQL query, processes are monitored across a maximum span of 30 seconds to verify if an instance of GDB is used, succeeded by a network connection attempt, highlighting malicious use such as establishing reverse shells or other harmful communications.