This analytic rule detects the execution of PowerShell cmdlets `Get-DomainUser` or `Get-NetUser` with the `-SPN` parameter, often indicative of an attacker attempting to enumerate domain accounts linked to Service Principal Names (SPNs), which is a common precursor to Kerberoasting attacks. It utilizes PowerShell Script Block Logging (EventCode=4104) to surface specific patterns indicating this behavior. Upon detection, it may suggest potential credential theft or unauthorized privilege escalation within the network. The search query triggers alerts by looking for specific code executed in PowerShell, enabling security teams to investigate further and respond to potential threats promptly.