The detection rule for 'Windows System Discovery Using Qwinsta' identifies instances where the 'qwinsta.exe' tool is executed on Windows operating systems. 'qwinsta.exe' is a legitimate command-line tool used for displaying session information on Remote Desktop Session Host servers. However, it is frequently exploited by malware such as Qakbot for unauthorized system discovery and information exfiltration. This rule utilizes data sourced from Endpoint Detection and Response (EDR) agents, specifically focusing on logs generated by Sysmon (Event ID 1) and Windows Event Log Security (Event 4688). The significance of monitoring this executable lies in its potential association with malicious activity that may precede larger attacks, including data breaches and further infiltration into the host. The implementation requires ingestion of specific logs and normalization using the Splunk Common Information Model (CIM), ensuring that process-related telemetry is appropriately mapped for accurate detection. Vigilance against false positives is also essential since legitimate administrative users may execute this command for auditing purposes.