This analytic rule detects potential reconnaissance activities targeting Active Directory (AD) using the PowerShell `[Adsisearcher]` type accelerator. Specifically, it analyzes PowerShell Script Block Logging events (EventCode=4104) to identify script blocks that call `[adsisearcher]` with filters indicating a search for organizational units. The detection indicates possible malicious behavior where an adversary attempts to gather information on the network's domain structure. This can provide insights into further exploitation routes, including privilege escalation and lateral movements. The rule employs statistical aggregation of detected events by time and user context, facilitating an understanding of when and where this reconnaissance occurs. Care should be taken to address false positives stemming from legitimate administrative tasks.