This detection rule identifies potentially malicious process names using a pre-trained Deep Learning model based on a Recurrent Neural Network (RNN). By analyzing telemetry data from Endpoint Detection and Response (EDR), the rule assesses the likelihood of process names being benign or malicious, utilizing a threshold score of 0.5. The aim is to detect cases like malware such as TrickBot, which frequently employs randomly generated filenames to avoid detection. The rule processes Sysmon EventID 1 data to classify processes and raises alerts if the likelihood of maliciousness surpasses the defined threshold. To validate its accuracy, it requires careful implementation of the correct telemetry logs, normalization with the Splunk Common Information Model (CIM), and thorough analysis of the outputs for false positives, particularly for process names closely resembling benign processes.