This rule aimed to detect instances of Microsoft Excel spawning PowerShell processes, a behavior considered uncommon and suspicious, often tied to malicious activities such as spearphishing. It utilized data sourced from Endpoint Detection and Response (EDR) agents to focus on process creation events where the parent process was 'excel.exe' and the child process was PowerShell. The detection was valuable, as it indicated potential execution of encoded PowerShell commands, leading to risks such as arbitrary code execution, data exfiltration, privilege escalation, or persistent access. The rule has been deprecated in favor of a more generic detection approach, 'Windows Office Product Spawned Uncommon Process.' It's crucial for organizations to monitor these behaviors as they can signify ongoing compromise or attacks against their environments.