This detection rule is designed to identify the execution of unauthorized local large language model (LLM) frameworks and Python-based AI/ML libraries running on Windows endpoints. The rule is crucial for monitoring potential shadow AI deployments and unauthorized operations that may involve model inference and data exfiltration. The analytics utilize process creation events from security logs, specifically looking for known executable names and associated command-line arguments. It allows security analysts to pinpoint instances where these frameworks are launched, highlighting significant threats to sensitive data or governance policies within an organization. If discovered, such activities might indicate malicious intent, necessitating further investigation.