The rule focuses on detecting the creation of PowerShell remote sessions, a potential vector for malicious activity. Adversaries often utilize PowerShell for executing scripts that may perform unauthorized actions on remote systems. This detection rule examines PowerShell script blocks for the presence of the command 'New-PSSession' along with the '-ComputerName' parameter, which indicates an attempt to initiate a remote session to a specified computer. This behavior may be legitimate in certain administrative contexts; hence, the rule is set at a medium severity level to balance potential threats against false positives stemming from authorized administrative tasks. To utilize this rule effectively, it is required to have Script Block Logging enabled to capture the necessary PowerShell execution data. The references included provide additional guidance on the significance of PowerShell remote sessions as well as the required configurations.