This rule is designed to detect the usage of the Windows Package Manager's (`winget`) functionality to add new download sources. It analyzes process creation logs specifically for instances of `winget.exe`, monitoring command-line arguments that indicate an attempt to add a source. The rule looks for occurrences where the command line of the executed process contains both `source` and `add`, indicating a modification to the list of package sources. The detection logic employs criteria that consider a proper match with the executable name and the required command-line fragments, increasing the potential for identifying threat actors attempting to leverage winget for malicious software installations. False positives may arise due to legitimate administrative actions or tools that also utilize `winget` for valid purposes.