This detection rule identifies attempts to install unsigned AppX packages on Windows systems using the PowerShell command `Add-AppxPackage` or its alias `Add-AppPackage`. The rule focuses on monitoring the invocation of these commands, particularly when accompanied by the `-AllowUnsigned` flag, which indicates that the installation of non-signed packages is being explicitly permitted. This behavior is typically associated with potential threat actor activity aiming to execute malicious applications or bypass established security measures. The detection logic captures instances where PowerShell (`powershell.exe` or `pwsh.exe`) is used to run these commands, and it raises an alert in cases where unsigned installations are attempted. False positives can arise from legitimate testing scenarios where unsigned packages may be installed intentionally.