This analytic rule is designed to detect reconnaissance activity involving Windows Event Logs, using various command-line utilities like `wevtutil.exe`, `wmic.exe`, PowerShell cmdlets such as `Get-WinEvent`, or WMI queries that target `Win32_NTLogEvent`. These utilities, while legitimate for administrative tasks, can signify malicious intent if executed with specific parameters or focused on sensitive logs, especially the `Security` log. An adversary might utilize these methods to extract critical data such as usernames, IP addresses, and session information during attempts to access credentials or maintain awareness for lateral movements within a network. The detection employs data collected from Endpoint Detection and Response (EDR) agents, focusing on associated process names and command-line arguments. It aims to identify patterns characteristic of reconnaissance behavior, thereby enabling early intervention against potential threats.