This detection rule identifies potentially malicious PowerShell script blocks based on correlation across multiple alert detections. It utilizes a robust ESQL query to filter and analyze alert data, particularly targeting PowerShell-related alerts that indicate potentially harmful activities. The key hypothesis is that the detection of multiple distinct alerts correlating with a single PowerShell script block ID is a strong indicator of malicious intent. The rule integrates a systematic investigation approach to mitigate false positives and establish a thorough incident response protocol. Analysts are encouraged to examine the execution context and investigate the script origin, behavioral indicators, and execution artifacts to enhance detection accuracy and response efficacy.