This detection rule identifies instances of .cab files being written to disk, utilizing telemetry data from Endpoint Detection and Response (EDR) agents, specifically focusing on Sysmon EventID 11. .cab files can potentially be vehicle for malware delivery, often containing malicious payloads like .url files that could execute harmful code upon access. The search query is designed to filter for file activity where the filename ends with '.cab', and the action for the event is classified as a 'write'. The detection aims to prompt reviewers to investigate further by analyzing file paths and any related artifacts that could indicate malicious behavior or compromise. Measures are advised to mitigate false positives by customizing the analytic for legitimate use cases based on file paths.