The detection rule 'Group Policy Discovery via Microsoft GPResult Utility' identifies potential malicious behavior associated with the usage of the 'gpresult.exe' command. This command is utilized to query Group Policy Objects (GPOs) that are applied to Windows systems. During a cyber intrusion, attackers often seek to understand the Active Directory environment, enabling them to find vulnerabilities for privilege escalation or lateral movement. The rule specifically targets the execution of 'gpresult.exe' with arguments associated with reconnaissance activities, namely: '/z', '/v', '/r', and '/x'. The rule operates across several data sources including Windows event logs and third-party endpoint security solutions, and utilizes a specific EQL (Event Query Language) query to identify potential encounters with this utility run by adversaries. The alerting mechanism helps security teams investigate the context under which gpresult was executed, user behavior, and related suspicious activities, while also differentiating between benign administrative tasks and harmful reconnaissance efforts.