Detects the initial agent or persistent agent processes for NorthStar C2 on Windows endpoints by monitoring process creation events for NorthstarStager.exe and SystemHealthCheck.exe across Sysmon (EventID 1), Windows Security (4688), and CrowdStrike ProcessRollup2. The rule requires ingestion of complete command lines and mapping to the Endpoint.Processes data model (CIM) so fields like Processes.original_file_name, Processes.process_name, and related process metadata can be correlated. It flags executions of NorthStar C2 stage/agent binaries, enabling operators to trace back to the host, user, and parent process, and to assess risk via associated risk objects and analytic stories. The implementation emphasizes normalizing telemetry from EDR agents into the CIM endpoint model and leveraging the designated data sources to surface agent executions, while providing drilldown and risk context for incident response. False positives are anticipated for legitimate red-team activity and should be filtered when such tooling is authorized for testing.