This detection rule is designed to identify suspicious instances of the Microsoft Build Engine (MSBuild) being executed under an alternate name, which is a behavior commonly associated with evasion techniques used by adversaries. The Microsoft Build Engine is typically utilized by developers for building applications, and a legitimate execution occurs with the name 'MSBuild.exe'. When this executable is renamed, it raises a flag indicating potential malicious usage. The rule operates over the last 9 minutes by analyzing process logs for any execution of processes that match 'MSBuild.exe' in the original file name yet have a different name during execution, which could signify an attempt to bypass security measures such as application allowlisting or other detections. Additionally, the rule is integrated with several data sources, including Winlogbeat and Microsoft Defender for Endpoint, making it robust in terms of context and visibility into suspicious activity. Should this rule trigger, it will require further analysis of process behavior, parent processes, registry modifications, and network activity to ensure that there hasn't been a compromise or malware execution.