This detection rule identifies the creation of AzureHound-specific files, particularly those with names that follow the pattern `*-azurecollection.zip` and various related `.json` files, in an endpoint's filesystem. By utilizing the Endpoint.Filesystem data model, it filters for relevant file creation events. AzureHound is a reconnaissance tool for Azure environments, used for gathering information similar to what SharpHound does for Active Directory. The presence of such files may indicate preparatory steps for unauthorized access or data collection by a potential attacker/insider, thus warranting immediate investigation. Established through Sysmon EventID 11, the rule offers a robust framework for detecting suspicious activity tied to AzureHound, emphasizing the critical nature of timely alerts to protect cloud infrastructures from exploitation.