I have 1000+ devices listed against EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 in the new Detections EAP. The description says that this could be indications of Diavol ransomware, however, I think the rule is mistakenly identifying some of the command line arguments used by other legitimate commands.
The command lines detected by this rule according to the description are -p "C:\b.txt" -m local -log "C:\programdata\log.txt". Some of the many misidentified detections are these below, I have bolded the possible command line argument incorrectly found which trigger the detection:
C:\WINDOWS\SysWOW64\WerFault.exe -pss -s 456 -p 16080 -ip 16080
C:\Windows\System32\wlrmdr.exe -s 60000 -f 1 -t Consider changing your password -m Your password will expire in 14 days.\x0ATo change your password, press CTRL+ALT+DELETE and then click \xE2\x80\x9CChange a password\xE2\x80\x9D. -a 0