This detection rule identifies instances of the executable 'searchprotocolhost.exe' running without command line arguments while simultaneously showing an active network connection. The detection leverages telemetry data from Endpoint Detection and Response (EDR) systems, specifically monitoring Sysmon Event ID 1 for process execution and Event ID 3 for network connections. The typical execution of 'searchprotocolhost.exe' includes specific command line arguments, and the absence of these while there is network activity may indicate potential malicious behavior such as the use of exploits or tools like Cobalt Strike. If this behavior is confirmed as malicious, it could lead to unauthorized network connections, contributing to command-and-control operations or data exfiltration. EDR logs, properly configured with Splunk, allow for real-time detection and response to suspicious activities involving this executable.