This rule detects potentially suspicious DNS queries made to the URL shortening service tinyurl.com by processes located in unusual or non-standard directories on a Windows system, using Sysmon's event ID 22. URL shorteners are often leveraged by threat actors to mask malicious endpoints, and their utilization in a corporate environment by scripts or non-browser processes raises red flags. The analytic recommends correlation with additional signals such as outbound connections, file downloads, and process execution context to assess potential risks. Analysts should investigate the characteristics of the source process and the nature of the URLs being resolved to determine if they pose a security threat.