The rule identifies the use of a specific PowerShell command that indicates an attempt to conduct a live memory dump on a Windows machine. The command in question, `Get-StorageDiagnosticInfo -IncludeLiveDump`, is indicative of attempts to gather live system memory data, which can potentially expose sensitive information like passwords or tokens. For this detection to function, script block logging must be enabled, allowing the capturing of PowerShell command executions. The rule is designed to alert administrators to the execution of this command, especially in environments where such diagnostics are not typically justified, increasing the likelihood that its use may be malicious. The detection is considered high-risk due to the potential severity of data exposure from successful live memory dumps.