This rule detects the execution of SoftPerfect Network Scanner, including its various executable formats (netscan.exe, netscan32.exe, and netscan64.exe). This tool is not inherently malicious but is often used by threat actors for unauthorized network discovery after compromising a system. Monitoring for its execution is essential, as unexpected usage could indicate unauthorized scanning activities within the network. The rule utilizes logs from Windows Sysmon, specifically looking for EventCode 1, which logs process creation events. It filters for the execution of SoftPerfect Network Scanner by identifying its specific process names and paths, and it gathers relevant information such as timestamps, host information, user accounts involved, and parent process details. By correlating this data, the detection can help identify potential misuse of this tool during security incidents.