This detection rule aims to identify potentially malicious activity associated with the execution of the Get-GPO command in PowerShell. The Get-GPO command is utilized to retrieve Group Policy Objects (GPOs) from a Windows domain, which can be leveraged by adversaries for reconnaissance purposes. The rule specifies that it will trigger when the ScriptBlockText contains the string 'Get-GPO', indicating that the script in execution is attempting to interact with GPOs. A requirement for this detection to function effectively is that Script Block Logging must be enabled on the target systems, as this records PowerShell command executions. It's important to note that legitimate PowerShell scripts may also invoke this command, which could result in a low false positive rate. The detection level is classified as low, reflecting the possibility of benign uses of Get-GPO. Effective monitoring and analysis of instances firing this rule will be necessary to distinguish between legitimate administrative activities and potentially malicious reconnaissance actions.