The Living Off The Land Detection rule identifies suspicious activity by leveraging legitimate system tools in a malicious manner. This correlation search aggregates events tagged under the 'Living Off The Land' analytic story using the Risk data model. It focuses on systems with a high number of distinct sources, allowing for the detection of potentially harmful behaviors that could enable attackers to execute arbitrary code, escalate privileges, or maintain a foothold in an environment utilizing trusted utilities. The query collects various statistics related to risk events and applies filters to determine notable activities based on source diversity. Proper implementation necessitates the activation of all associated detections and tuning for potential false positives as high volumes of legitimate actions may trigger alerts.