This detection rule monitors for the execution of the Network Mapper (nmap) tool, which adversaries may use to conduct reconnaissance activities on a network. By analyzing process execution logs, the rule identifies any invocation of nmap that includes an IPv4 address as an argument, indicating the user may be attempting to discover hosts for further lateral movement. Implemented in a Splunk environment, the logic utilizes commands to filter endpoint data for nmap executions, capturing relevant attributes such as timestamps, hostnames, users, and process types. This behavior aligns with the discovery tactic detailed in MITRE ATT&CK technique T1018, where adversaries seek to locate additional systems within a network. The rule is particularly relevant for environments that value visibility into network scanning and the potential indicators of compromise associated with the Alloy Taurus and Gallium threat actors.