The rule ‘Get ADUser with PowerShell’ detects the execution of PowerShell commands leveraged by threat actors to enumerate Active Directory users using the `Get-ADUser` cmdlet. Specifically, it targets instances of `powershell.exe` or `cmd.exe` with command-line operations that include the string ‘Get-ADUser,’ indicating potential reconnaissance activity aimed at gathering domain user data. This detection rule utilizes telemetry from Endpoint Detection and Response (EDR) systems, particularly focusing on process names and command-line arguments to identify such behavior. Monitoring for this activity is vital, as unauthorized enumeration of Active Directory can provide attackers with critical information about the organizational hierarchy, leading them to identify and target high-value users for further assaults. Such behavior requires careful scrutiny in security operations to prevent a potential breach following the discovery phase. The implementation guidance emphasizes the incorporation of relevant logs from EDR agents to ensure proper data collection and correlation. This analytic represents a proactive approach to securing Active Directory environments.