This rule detects suspicious QEMU execution on Windows endpoints by monitoring Sysmon process creation events (EventID 1). It triggers when the command line includes the headless execution flag -nographic or when an image file with a .img extension is involved, indicators commonly used to run a Linux VM without a display. The search logic cross-checks QEMU indicators via Product/Company descriptions (Product="QEMU" or Company contains "qemu") and aggregates context from the process event (computer, EventID, CommandLine, Description, Product, Company, and related process fields). It computes first and last seen times and outputs an alert with a security content styling hook, including a risk-based alert (RBA) message: Potential suspicious QEMU execution observed on $dest$ via $CommandLine$. This rule is intended for persistence/initial access detection through rogue Linux VMs and relies on endpoint telemetry to identify the activity. To implement, you must ingest endpoint EDR logs that provide process GUID, process name, parent process, and complete command lines, map them to the Endpoint Processes data model, and normalize field names using the Splunk CIM. False positives can arise from legitimate virtualization in test or lab environments; whitelisting approved systems is advised. References are provided for related attack patterns. The rule includes drilldown and risk analytics to help triage, along with a tested positive data example in the attached dataset.