This analytic rule identifies the execution of the PowerShell `Get-DomainUser` cmdlet by monitoring PowerShell Script Block Logging, specifically EventCode=4104. The `Get-DomainUser` cmdlet is a component of PowerView, a tool frequently used in Active Directory enumeration and reconnaissance processes. The detection utilizes operational logs from PowerShell to capture instances of this command, which can indicate potentially malicious activity, such as an adversary attempting to gather user information within an Active Directory environment. Detecting this behavior is crucial, as if indicated as malicious, it may lead to further unauthorized access or exploitation of domain resources. Furthermore, this analytic highlights essential attributes like the computer and user involved, allowing for effective investigation into potential active threats.