This rule identifies any execution of processes with names that consist of a single character. Historically, adversaries have utilized such naming conventions when staging or executing transient utilities, as it can help to elude security tools that monitor based on process names. The detection focuses on processes that have names of length 5 while also checking that the original file names exceed 5 characters. Importantly, the rule leverages EQL (Event Query Language) for analysis and includes multiple data sources such as Winlogbeat and Microsoft Defender for Endpoint. The investigation guide also provides possible investigation steps, highlighting aspects such as examining the process's execution chain, tracking unusual behavior, and analyzing file hashes against known threat databases. The overall risk score for this detection is 47, categorized under medium severity. It outlines a structured response protocol upon detection of the event, suggesting isolation of the affected host and possibly initiating an incident response.