This rule targets potential misuse of Level, a commercial Remote Monitoring and Management (RMM) tool, by detecting a PowerShell installer script associated with Level on Windows endpoints. It leverages Windows PowerShell Script Block Logging (Event ID 4104) to flag script blocks that include a Level API key environment variable and a known installer URL (https://downloads.level.io/install_windows.ps1). The detection is implemented as a Splunk search that filters ScriptBlockText for those patterns, then aggregates by host, event, and script block identifier to surface first/last execution times and related context. The rule assigns a risk signal when Level installer activity is observed, guiding responders that legitimate IT usage could appear similar but may indicate exploitation or persistence if misused by an attacker. The rule includes a risk object targeting the destination host with a score of 20. It also provides drilldown queries for per-user/destination review and a 7-day risk history view. The rule explicitly notes legitimate admin use as a potential false positive, and references authoritative guidance (CISA AA23-320a). The detection relies on EDR telemetry that includes complete command lines and process metadata, and recommends mapping to the Endpoint data model (Processes) and normalizing fields via the Splunk CIM for efficient correlation and analysis. It is intended for endpoint security teams to detect, investigate, and potentially contain unauthorized Level RMM activity.