This detection rule identifies potential suspicious installations of packages using the Windows Package Manager (winget) from untrusted or suspicious sources. The focus is on the presence of specific indicators within the logs that suggest a package source which may compromise the system's security. The rule examines logs for entries that signal Zone Identifier (specifically, ZoneId=3) which indicates that a file may have been downloaded from the internet. Additionally, it searches for specific URI patterns that correlate with suspicious sources. The targeted filename appears to be a temporary file located within the AppData directory that would typically indicate potentially unwanted or malicious package installations. The detection leverages log data categorized under 'create_stream_hash' for Windows, making it critical for identifying abuse of the winget package installation mechanism, which can serve as a persistence or evasion technique by attackers.