This analytic detects the execution of the Windows built-in tool `netsh.exe`, which can reveal the configuration and state of the host firewall. Such monitoring is critical as adversaries may utilize `netsh` to manipulate firewall rules, potentially facilitating unauthorized access to a network or leading to a data breach. The detection mechanism leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line execution patterns indicative of potential malicious activity. The rule captures instances where `netsh.exe` is executed with commands that look for firewall configurations such as `show state`, `show config`, `show wlan`, or `show profile`. The implementation requires accurate data collection and normalization via Splunk's Common Information Model (CIM). Actionable steps include ingesting logs that track command executions, ensuring that this telemetry is mapped correctly to the `Processes` node of the `Endpoint` data model. Vigilance against false positives is necessary, especially from legitimate activities by network administrators who may use this command for auditing.