This analytic rule detects the usage of the `Get-AdGroup` PowerShell cmdlet via PowerShell Script Block Logging, specifically focusing on Event Code 4104. The `Get-AdGroup` cmdlet is instrumental for enumerating Active Directory groups, which is often leveraged by threat actors for reconnaissance purposes within a network environment. By monitoring the execution of this cmdlet, organizations can gain insight into potential unauthorized or malicious activities signaling attempts at Active Directory discovery. Detection of such actions is critical, as it may foreshadow further exploitation strategies, such as privilege escalation or lateral movement, by providing attackers with detailed views into the domain's organizational structure. The setup of PowerShell Script Block Logging on endpoints is crucial for the successful implementation of this detection, along with the example search query designed for Splunk environments to capture and analyze relevant events.