This rule is a machine learning (ML) based detector named Rare Powershell Script, designed to flag PowerShell scripts that are unusually rare within a host’s environment. Unlike entropy-based anomaly checks, it relies on a script block hash fingerprint and a baseline of normal PowerShell activity to identify scripts that have rarely or never been observed on a given Windows endpoint. It is powered by the v3_windows_rare_script_ea ML job and requires data ingestion from Elastic Defend and Windows endpoints. When triggered, the alert indicates a low-frequency, potentially malicious or persistence-related PowerShell activity and prompts triage to determine if the script is part of legitimate maintenance or a post-exploit scenario. The rule maps to MITRE ATT&CK Execution techniques (T1059 and subtech T1059.001 for PowerShell). The detection window is defined as from now minus 45 minutes with evaluations every 15 minutes. The rule’s risk score is modest (21) and is intended to surface rare-but-significant PowerShell script blocks that merit investigation. Triaging guidance emphasizes examining the script content, the execution chain, and the contextual user and host activity, while considering planned admin actions, software updates, or legitimate automation. Recommended response includes containment, artifact collection, credential assessment, and updating logging to reduce Mean Time to Detect/Respond (MTTD/MTTR). References point to Elastic ML job setup guidance and living-off-the-land detection resources. The rule is designed for Windows endpoints and requires the Elastic Defend/Windows integrations to function correctly, with deployment focused on endpoint telemetry and script execution events.