This detection rule targets the creation of .iso.lnk files within a specific user directory in Windows systems. The rule identifies the presence of these file types in the '%USER%\AppData\Local\Temp\<random folder name>\' path, which suggests that an ISO file has been mounted. This behavior is significant as it can be indicative of potential malicious activity, including the delivery and execution of harmful payloads via ISO files. The rule utilizes the Endpoint.Filesystem data model, analyzing file creation events particularly in the Windows Recent folder. The detection aims to uncover potential incidents before they lead to unauthorized code execution or data exfiltration episodes.