This analytic detection rule targets the use of dnscmd.exe to enumerate DNS records, which could be indicative of an adversary gathering network information as a precursor to more targeted attacks. It utilizes data from Endpoint Detection and Response (EDR) systems, relying on Sysmon Event ID 1 and Windows Security Event Log 4688 to monitor command-line executions of threats. Specifically, this detection focuses on identifying instances where dnscmd.exe is executed with the '/enumrecords' argument, as such activity may signal an intention to map the network and identify key assets for potential attacks, including data exfiltration. The rule calls upon the Splunk data model for Endpoint Processes and expects a well-defined setup of logging and normalization to ensure effective detection and analysis.