This rule is designed to identify the use of Windows Sandbox processes that indicate the initiation of a new container with sensitive configurations. Such configurations include write access to the host file system, network connectivity, and the potential for automatic execution via logon commands. These characteristics may be exploited by malware seeking to evade detection mechanisms by utilizing the sandbox feature. The rule employs EQL (Event Query Language) to analyze events from multiple log sources, focusing specifically on processes that indicate sandbox initiation with particular command-line parameters related to networking and host folder access. A risk score of 47 reflects a medium severity level, aiming to enhance security monitoring by leveraging multiple data sources, including Microsoft Defender for Endpoint and various EDR solutions.