The 'Uncommon Processes On Endpoint' detection rule is designed to identify and monitor processes on endpoints that have been marked as uncommon, which are potentially indicative of malicious activity or compromised systems. It operates by leveraging data from Sysmon EventID 1, allowing the detection of unusual process behavior based on statistical analysis of application usage gathered through Endpoint Detection and Response (EDR) solutions. This rule collects process-related data, including the destination, user, and process names from the Endpoint Processes data model. It aggregates this data to create a count of occurrences and captures the first and last timestamps of these processes. The rule is part of a broader effort to combat Windows Privilege Escalation and other anomalous activities linked to unusual processes, specifically addressing threats such as the Hermetic Wiper. The implementation of this detection requires the proper ingestion of logs containing detailed process information, including command-line executions, which should be mapped appropriately to align with the Splunk Common Information Model (CIM). The rule's utility is reinforced by its categorization under various mitigating strategies in the MITRE ATT&CK framework, particularly under the tactic of User Execution (T1204.002). This rule is marked as deprecated, suggesting it may no longer be actively maintained or recommended for use in current security posture strategies.