This detection rule identifies the use of the 'findstr' command-line utility, which is often leveraged by attackers to filter the output from reconnaissance commands like 'tasklist' or 'whoami' to locate security tools installed on a Windows machine. The rule is particularly focused on detecting searches for common security software names that might be used as keywords to refine command results. By monitoring the process creation events, it looks for instances where 'find.exe' or 'findstr.exe' is executed with command-line arguments that include names of known security products. This activity could indicate preparatory steps for evasion or reconnaissance by malicious actors. The detection spans specific signatures linking to 'findstr' and filters designated for security tool names, ensuring that potential malicious behavior is flagged for further investigation.