This analytic rule for Splunk Enterprise has been deprecated and was designed to detect reconnaissance activities related to network share discovery on Windows systems through the use of the Net command. Attackers often utilize the Net command to list and investigate shared resources within a network, possibly as a precursor to privilege escalation or data exfiltration. The detection worked by monitoring Sysmon EventID 1 to identify interactions with network shares, helping organizations uncover potential malicious reconnaissance or collection activities.