This detection rule identifies the installation of the Hybrid Connection Manager service on Windows systems. The focus is on monitoring Event ID 4697, which logs the installation of a service, specifically looking for the service named 'HybridConnectionManager' and ensuring that the service's filename contains 'HybridConnectionManager'. This rule is important in preventing unauthorized persistence mechanisms that leverage the Hybrid Connection Manager service. While it captures legitimate installations, such as those initiated by Azure function apps, these instances should be manually reviewed to eliminate false positives. Enabling the 'System Security Extension' audit subcategory is essential for the rule to function properly, as it ensures that the necessary logging is in place to monitor the specified events.