This detection rule is designed to alert security teams about unusual signals related to host, user, and process command line combinations on Windows systems. The rule specifically targets anomalies in the process command line that might indicate adversarial reconnaissance, leveraging alert data aggregated from various previous Discovery building block rules. By scrutinizing unique entries in `host.id`, `user.id`, and `process.command_line`, the rule can identify deviations from typical patterns, thus providing a proactive approach to threat detection. Furthermore, the associated investigation guide offers a structured methodology for triaging alerts, assessing historical activity, analyzing command line patterns, and correlating with other logs. It also highlights the potential for false positives from legitimate administrative activities and suggests mitigation steps for handling such cases. The alert is intended to reinforce security postures by flagging potentially malicious activities early in their lifecycle, allowing for timely investigation and response.