Anomaly rule that flags Windows process creation events associated with known remote management and monitoring tools. It ingests Sysmon Event ID 1 data to match on Company, Description, Product, and Image fields against a curated list of legitimate RMM vendors and products (e.g., AnyDesk, TeamViewer, NinjaRMM, Zoho Assist, Pulseway, NetSupport, ScreenConnect, Take Control, GoToAssist, etc.). When a match is found, results are aggregated by host and tool metadata with first/last seen times to enable timeline analysis and risk-based alerting. The goal is to surface potential abuse of legitimate remote administration tools for lateral movement or exfiltration, while providing guidance to filter true positives for approved admin activity and documenting legitimate usage. The rule relies on endpoint telemetry from EDR agents and uses CIM normalization to harmonize field names for faster data modeling.