This detection rule identifies the installation of the Microsoft Exchange Transport Agent, a component often targeted by malicious actors for persistence within an enterprise environment. The rule focuses on the command line call associated with the installation of these agents, specifically looking for the presence of 'Install-TransportAgent'. Given that legitimate installations can occur, the rule is designed to minimize false positives by checking the 'AssemblyPath', which serves as a reliable indicator of the context in which the command is executed. The potential threat posed by unauthorized installations of Transport Agents can lead to serious vulnerabilities in Exchange servers, necessitating proactive monitoring against such activities.