The rule detects unusual processes spawned by hosts on Windows systems through a machine learning model known as ProblemChild. By identifying processes that have been flagged as suspicious both by predictive analysis and by their unusual characteristics in a typically benign environment, this rule aims to uncover potentially stealthy and malicious activities often associated with 'Living off the Land' (LotL) tactics. With a defined anomaly threshold of 75 and a risk score of 21, it allows for the identification of processes that are atypical for the host, with the expectation that they may evade traditional detection methods. The rule operates within a defined time frame of the last 45 minutes and checks for anomalies every 15 minutes. Proper setup requires the installation of specific integrations, such as the LotL Attack Detection. The guide provides detailed steps for investigating alerts raised by the machine learning model, addressing false positive scenarios, and suggesting responsive actions to mitigate threats and conduct forensic investigation if suspicious behavior is detected.