This detection rule aims to identify the installation and configuration of PowerShell Web Access (PsWA), which allows remote management of Windows machines. The primary focus is to catch potential misuse by detecting specific PowerShell script commands related to PsWA installation and authorization rules. When an administrator sets up PowerShell Web Access, legitimate commands such as `Install-WindowsFeature WindowsPowerShellWebAccess` and `Install-PswaWebApplication` are used. Additionally, authorization rules can be added via `Add-PswaAuthorizationRule` to grant users remote access. Because PsWA can be misused by malicious actors to gain unauthorized access, monitoring these actions is crucial. However, the rule allows for a single occurrence of the detection conditions to trigger an alert to minimize false positives. This setup assists in keeping track of any modifications to PowerShell's web access capabilities and evaluates the security surrounding such configurations.