This detection rule identifies command executions related to Go language binaries, specifically targeting instances where malicious actors are running Go-based commands via the Windows Sysmon framework. The rule leverages a combination of endpoint data and system monitoring events, looking particularly for processes containing 'go' or 'go.exe' that correspond to Event ID 1 (Process Creation). The gathered data provides insights into which processes were executed, their parent process, and the user context, allowing security teams to track the use of potentially malicious Go applications. The approach is reinforced by the relative novelty of Go as a malware language, making it less detectable by traditional antivirus solutions. The rule processes logs to extract relevant execution data and organize it into a manageable format for further investigation.