This detection rule focuses on identifying potentially malicious use of the Windows command-line utility 'wevtutil.exe'. This utility is typically used to access and retrieve information from Windows event logs, which can contain sensitive information such as usernames and security logs. Threat actors, specifically the Mustang Panda group, have been noted for leveraging this tool to gather intelligence on target systems. The detection logic consists of monitoring process executions where 'wevtutil' or its renamed variants are employed to query Windows security event logs. The rule utilizes a specific regex pattern to identify these command-line behaviors, particularly focusing on the 'Query-Event' and 'security' parameters. 'wevtutil' can often be renamed or manipulated by threat actors to avoid detection, which underscores the importance of broadening the detection logic to include such variations.