This detection rule monitors and alerts on the execution of `netstat.exe` with specific command-line arguments that indicate network connection discovery on Windows systems. It utilizes data gathered from Endpoint Detection and Response (EDR) agents, mainly focusing on the process's name, the command-line execution, and its parent process. This tactic is commonly employed by Red Teams and malicious actors for gaining situational awareness and discovering assets within an Active Directory environment. The combination of network connection listing capabilities provided by `netstat.exe` could enable adversaries to map network layouts, identify essential systems, and strategically plan for lateral movement or data exfiltration. The detection leverages logs from various sources like Sysmon and Windows Event Logs, ensuring comprehensive monitoring of processes related to network inquiries.