This threat detection rule identifies anomalous processes running across multiple Windows hosts within an environment. By analyzing process execution instances, the rule aims to detect rare processes that could indicate potential malicious activities. Utilizing machine learning algorithms, this rule reduces false positives typically generated by more common automated maintenance processes, which might otherwise skew alerts in larger networks. The rule consists of integrated queries utilizing Osquery to gather pertinent data, including DNS cache, running services, and identification of unsigned executables linked to VirusTotal. It is crucial that anomalies identified through the rule are further investigated to determine their legitimacy and whether they pose a security threat. Organizations can implement this detection as part of their ongoing efforts to maintain a strong security posture and quickly respond to potential threats.