The detection rule for "Suspicious Microsoft Workflow Compiler Usage" is designed to identify potentially malicious use of microsoft.workflow.compiler.exe, an uncommon executable located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319. This executable is typically underutilized and abnormal execution may indicate the presence of malicious activities including unauthorized code execution or persistence tactics. Leveraging telemetry from Endpoint Detection and Response (EDR) tools, this rule examines process execution data to flag instances where this specific process is invoked. Given that its usage can suggest malicious intent, security teams should investigate occurrences to prevent potential system compromises. The detection utilizes various data sources including Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to ensure comprehensive context is captured for each instance. It includes detailed guidance on implementing the detection via Splunk's tooling, as well as insights into known false positives and a list of references for further context.