This detection rule targets potentially suspicious actions involving `Msbuild.exe`, a legitimate Microsoft build tool, when it is executed by uncommon parent processes. The rule identifies instances where the `Msbuild.exe` executable is called or initiated, especially focusing on its `Image` endpoint that indicates the execution path or the original file name being `MSBuild.exe`. To further refine the detection and minimize false positives, the rule employs a filter to exclude instances where `Msbuild.exe` is executed by certain known parent processes such as `devenv.exe` (Visual Studio), `cmd.exe`, and others. The detection condition ensures that alerts are only triggered when the selection criteria for `Msbuild.exe` are met while simultaneously not being executed from any of the filtered parent processes. This approach aims to flag potentially malicious activities that could involve misuse of the `Msbuild.exe` tool for evading detection during attacks, primarily under a medium-level risk assessment.