This anomaly detection flags Windows processes that access the Windows Recall directory used by CoreAIPlatform for screenshot-based AI features. It monitors Windows Security Event ID 4663 (object access) with ObjectName matching the Recall directory pattern (CoreAIPlatform.00\\UKP*), and AccessList set to %%4416. The rule excludes known legitimate host processes (e.g., *aixhost.exe, *aihost.exe) to reduce false positives. It aggregates results by Computer, EventID, AccessList, ObjectName, and ProcessName to compute first and last access times, facilitating contextual alerts and trend analysis via the windows_process_accessing_windows_recall_directory_filter macro. The detection aims to surface suspicious access to Recall data, given historical security weaknesses in Recall that could be exploited by info-stealer malware to harvest sensitive data. While Microsoft plans mitigations and improvements to Recall, this rule remains production and will be reassessed for continued relevance after updates. False positives may include legitimate system processes or approved AI tooling accessing Recall for legitimate features; analysts should review and allow trusted software as needed. The rule relies on endpoint telemetry from EDR logs, mapped to the CIM data model, and requires complete process, parent process, and command-line data for accurate correlation.