The Windows Identify Protocol Handlers analytic is designed to detect potentially malicious use of protocol handlers executed via the command line on Windows systems. It leverages data sourced from Endpoint Detection and Response (EDR) agents, specifically focusing on telemetry related to process and command-line executions. Protocol handlers allow certain applications to process particular URL schemes, and if exploited, attackers can use them to run unauthorized commands or applications, leading to serious security incidents such as code execution, privilege escalation, or persistent access to the system. The rule analyzes Sysmon EventID 1 and Windows Event Log Security 4688 alongside CrowdStrike ProcessRollup2 data to identify these threats. By employing a Splunk search that aggregates process data, it filters legitimate handlers to focus on those that may indicate malicious activity, enabling security teams to respond to potential attacks efficiently.