This Elastic detection rule identifies the execution of built-in macOS commands associated with account or group enumeration, which could signal suspicious activity potentially aimed at gathering user information. Attackers may utilize these commands to understand available accounts and groups, facilitating further actions such as lateral movement or privilege escalation. The rule specifically monitors processes like 'ldapsearch', 'dsmemberutil', and 'dscl' that are executed from non-typical parent processes while excluding known legitimate applications to reduce false positives. It extracts logs from Elastic Defend for a specified time frame (last 9 months) and employs EQL for querying. The rule has a risk score of 21 and is classified as having low severity. A comprehensive investigation guide emphasizes analysis steps, possible false positives, and recommended incident response measures to mitigate any identified risks.