This rule aims to detect the usage of the Windows Package Manager, known as winget, to add potentially suspicious download sources. Winget is commonly used to manage and install software packages on Windows systems, and its capability to add additional sources can be exploited by malicious actors to introduce software from unverified repositories. The detection mechanism focuses on process creation activities for winget by monitoring specific command line patterns and the source IP addresses involved in these calls. The rule is designed to flag any commands that include 'source' and 'add', and further checks if the command line specifies an IP address, which could indicate an untrusted source. This detection is critical for maintaining a secure software supply chain and preventing the introduction of malicious software via rogue sources.