This detection rule focuses on identifying command and control (C2) activity associated with the SUNBURST malware, which exploits vulnerabilities within SolarWinds' Orion software. The rule specifies detection parameters for network protocols on Windows endpoints, particularly monitoring for HTTP traffic that masquerades as legitimate SolarWinds communications. SUNBURST triggers an implanted backdoor that allows attackers to retrieve and execute commands surreptitiously, presenting its traffic to blend with authentic service data. The rule leverages various OS query commands to enrich investigation efforts, including checks on DNS caches, running services, and executable signatures to find potential malware persistence signs. It lists detailed investigation steps and highlights the need for swift incident response should any suspicious activities be confirmed, ensuring organizations can mitigate risks posed by this advanced persistent threat.