This detection rule focuses on identifying instances of multiple 'nslookup' command executions within a network environment, which may indicate a reconnaissance activity by threat actors. These actors have been observed employing a batch script to automate 'nslookup' for each host, efficiently gathering host-based network information. The rule leverages Splunk queries to collect endpoint data, particularly looking for processes associated with 'nslookup.exe'. It requires the analysis of both EDR logs and process-related data, aggregating results based on time and host to signal potential abnormal activity. A threshold is established to filter for occurrences where 'nslookup.exe' runs more than twice, thus highlighting potential attempts to gather extensive information about the local network architecture and host configurations. Identifying this type of behavior is crucial in detecting reconnaissance efforts that precede attacks like those initiated by the Rhysida ransomware, as noted in the referenced threat reports.