This detection rule identifies the execution of remote access software by monitoring Sysmon EventCode 1 data, which logs process creation events on Windows systems. By cross-referencing these events with a lookup table of known remote access tools such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer, the rule helps security teams identify potentially malicious remote access activity. Since adversaries often use these utilities for unauthorized access, timely detection allows for swift incident response to prevent data breaches or further network compromise. To implement this rule effectively, users must ensure Sysmon is properly configured to log all relevant events and that data flows into Splunk for analysis. False positives can be minimized by maintaining exceptions for approved software in a designated lookup table.