This anomaly detects attempts to enumerate or verify macOS firewall configuration by monitoring for two commands that reveal firewall state and policy details: defaults read /Library/Preferences/com.apple.alf and /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate. These commands can disclose whether the firewall is enabled, which applications are allowed, and explicit authorization rules, information that attackers may abuse during reconnaissance to identify attack surfaces or plan subsequent network access. The rule relies on endpoint process data (Osquery results) and flags instances where these commands are executed, with emphasis on executions by non-administrative users or at unusual times as potential indicators of reconnaissance activity. The detection correlates process name, full command line, parent process, user, and timestamp to reduce noise and improve context for investigation. It is aligned with MITRE ATT&CK technique T1016 (System Network Configuration Discovery) and supports early warning of firewall-related discovery behavior on macOS endpoints. Known false positives include legitimate admin maintenance, inventory checks, or automated management tasks; tuning by excluding trusted administrative accounts or management systems can help reduce benign alerts. References to socketfilterfw and defaults man pages are provided for context. This rule can drive real-time alerts or be integrated into a SIEM/EDR workflow to enable quick containment or response if anomalous firewall configuration discovery is observed.