This analytic rule is designed to detect the utilization of the .NET compiler (csc.exe) for the on-the-fly compilation of potentially harmful .NET code, a technique often leveraged by adversaries to bypass security measures. This detection mechanism aggregates data from Endpoint Detection and Response (EDR) solutions, specifically monitoring command-line inputs associated with the execution of csc.exe. The identification of on-the-fly compilation is critical as it may indicate an attempt to execute arbitrary code, leading to severe security incidents such as system compromises, data breaches, or further infiltration of the network. The search queries process execution events and looks for specific command-line patterns, thereby highlighting suspicious activities that warrant further investigation.