This detection rule targets high entropy PowerShell command executions, which are often indicative of obfuscation techniques used by malicious actors to execute scripts while evading detection. Tools such as Base64 encoding and PowerShell obfuscation scripts like Chimera can generate these complex commands that slip past traditional antivirus solutions and Advanced Malware Protection (AMSI). The rule leverages Splunk's URL Toolbox to identify commands with high entropy in their structure, which suggests they may not be benign in nature. Through the logic provided, it evaluates the PowerShell execution logs by calculating the Shannon entropy of the command strings and filtering those that exceed a predefined threshold (avg_ut > 5). By aggregating the data, the rule provides insights into potentially suspicious PowerShell activity, thereby allowing security teams to focus their investigation on probable attacks or exploits utilizing PowerShell. The rule is well-suited for environments where PowerShell is heavily utilized but also poses a risk for misuse if not properly monitored.