This detection rule identifies abnormal DNS query requests made by processes to the Telegram API domain (api.telegram.org) that are likely not associated with the legitimate Telegram application (telegram.exe). The analytic utilizes Sysmon Event ID 22 data to detect instances where a host attempts to communicate with Telegram's infrastructure, which could indicate a compromise involving a Telegram bot, often used in malware Command and Control (C2) operations. The abnormality in the process name alongside DNS queries aiming at a known bot API suggests that an attacker may be leveraging Telegram for covert communications, thus constituting a suspicious activity that needs further investigation. The rule aims to enhance the security posture by identifying potential communication channels established by malware within a network, assessing risks associated with such activities and triggering alerts for security teams to respond promptly.