This analytic rule detects the execution of a process via the `WmiPrvSE.exe` binary, which suggests that Windows Management Instrumentation (WMI) is being utilized for process creation. The use of WMI for executing processes is often associated with malicious behavior such as lateral movement, remote code execution, or establishing persistence on the targeted host. By focusing on the execution relationships between parent and child processes, this detection leverages data collected from Endpoint Detection and Response (EDR) agents. This rule analyzes Sysmon Event ID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 logs to establish a correlation between WMI process creation and potentially harmful activities. If these activities are identified as malicious, they can enable attackers to execute arbitrary commands or scripts that can compromise the integrity or security of systems on the network.