The detection rule identifies when the process `regasm.exe` spawns a child process, a behavior indicative of possible malicious activity. The analysis focuses on process creation events recorded by EDR agents, where `regasm.exe` is the parent process. Notably, this behavior is uncommon, and such occurrences may represent attempts to circumvent application control mechanisms, potentially allowing attackers to execute arbitrary code. This could result in privilege escalation or persistent access within the system. Immediate action is advised to verify the legitimacy of the spawned processes and investigate any related activities. The detection leverages data from multiple sources, including Sysmon, Windows Event Logs, and CrowdStrike logs, and uses Splunk to process and analyze the data efficiently. Acknowledging sources of false positives, the rule includes mechanisms to filter out benign instances, enhancing its precision in identifying genuinely suspicious behavior.