This analytic rule detects the execution of rare processes within a network, identifying processes that only appear once across various endpoints within a defined timeframe. Such processes can signal potentially malicious activities or unauthorized software installations, which could suggest security breaches or attacks. The detection relies on telemetry provided by Endpoint Detection and Response (EDR) systems, specifically focusing on process execution logs. If benign processes execute infrequently, they may signal administrative changes or usage patterns that warrant further investigation. Early detection through this rule can help mitigate impacts related to data theft, privilege escalation, or system compromises. Organizations are advised to implement this rule as part of their security monitoring strategy, particularly in environments where unusual process executions could indicate an ongoing threat.