This analytic rule detects unusually long command lines executed on hosts using the Machine Learning Toolkit (MLTK). The key focus is to identify command lines that significantly diverge from the normative lengths established for individual users, which could suggest malicious activity such as command obfuscation or execution of complex scripts. The identified unusual command lengths may lead to unauthorized access, data exfiltration, or further system compromises. This detection mechanism relies on telemetry provided by Endpoint Detection and Response (EDR) agents and incorporates relevant Windows event logs. The implementation requires careful preparation of log ingestion, normalization with the Splunk Common Information Model, and the initial building of an ML model based on historical command line data.