The 'PowerShell XML Retrieval' detection rule targets malicious activities where PowerShell commands are used to fetch data from XML files over http or https protocols. This behavior can indicate potential data exfiltration or misuse of legitimate scripts to retrieve sensitive file contents. The rule is defined using a SQL-like syntax suitable for execution on a Snowflake data platform, focusing on analyzing process logs from CrowdStrike's endpoint detection and response (EDR) logs.\n\nSpecifically, this detection looks for process events occurring within the last two hours that involve Windows platforms, filtering those that contain keywords associated with XML or specific COM objects like 'MsXml2.ServerXmlHttp'. The rule leverages regular expressions for pattern matching, enabling it to identify various PowerShell commands that could potentially pose threats. The aim is to capture behavior in line with techniques for command execution and scripting interpreter activity, as delineated in MITRE ATT&CK (Techniques T1059.001 and T1059). This rule can serve as a proactive measure against the abuse of PowerShell for information theft or unauthorized data access.