This rule detects the use of the Netspy network scanner on Windows endpoints by analyzing endpoint process telemetry. It targets Netspy and its known variants (for example arpspy, icmpspy, pingspy, tcpspy, udpspy, etc.) by querying the Endpoint.Processes data model to identify processes named netspy.exe or processes whose command lines and related fields indicate scanner-related activity. The detection requires ingestion of detailed process information, including process GUID, command-line, parent process, destination IP/host, and related process metadata, which are mapped via CIM-compliant data normalization. The search aggregates on key process attributes (process_name, process, pid, guid, hash), along with parent process details and execution context, to surface a concise detection window (firstTime/lastTime). If matched, an alert is generated and can be drilled down to view results per user and destination, as well as associated risk events. The rule is designed to run within an EDR-backed data pipeline (via Sysmon EventID 1, Windows Security 4688 events, and CrowdStrike ProcessRollup2) and emphasizes speed and context by leveraging the Endpoint CIM, with a dedicated filter to reduce noise. A risk-based alert (RBA) payload warns of “Potential Netspy Network Scanner activity observed on $dest$ via $process$,” highlighting the critical asset (destination) and the suspicious process used. Known false positives include legitimate internal scans performed by network administrators, hence the recommendation to filter for approved internal scanning activities. The rule includes references and a test dataset to validate true positives, and supports rich drill-downs to aid incident response and risk analysis. This rule fits into Windows/Endpoint discovery techniques and aligns with MITRE Tactics related to network discovery and internal reconnaissance.