This detection rule identifies unusual network communications originating from the Windows MSIExec process, which typically does not engage in such behavior. By correlating process creation events from Endpoint Detection and Response (EDR) agents with network traffic logs, the detection targets network connections occurring over ports 443 or 80. Confirmed malicious activity could indicate that MSIExec is being exploited by an attacker to communicate with external servers — potentially leading to data exfiltration, command-and-control (C2) activities, or the deployment of further malware. Understanding the legitimate use cases of MSIExec is critical to minimize false positives, but any unexpected connections warrant investigation.