This detection rule identifies the installation of the Mesh Agent service on Windows systems, which is used for remote management of devices. The rule leverages Security Event data by monitoring the Service Control Manager (SCM) for specific events associated with new service installations. The detection is based on the Event ID 7045 and checks if the provider name is 'Service Control Manager'. Additionally, it looks for specific keywords in the service's image path or service name, indicating the presence of the Mesh Agent. Due to its capability to facilitate remote access, the installation of the Mesh Agent may pose a security risk, especially if unauthorized. Legitimate uses exist, hence the rule includes potential false positives for legitimate installations of the tool.