This detection rule identifies the execution of the `Get-AdComputer` cmdlet via `powershell.exe`, utilized for mapping domain computers in a Windows network. It is crucial for pinpointing potential reconnaissance activities by adversaries who aim to gather intelligence about available systems within a domain. The detection capabilities leverage data from Endpoint Detection and Response (EDR) solutions, focusing on the analysis of process execution information, including process names, command-line arguments, and parent processes. When attackers run this command, it can signal a step in their attack lifecycle as they aim to understand the landscape of the network, which could lead to unauthorized system access or data exfiltration. The detection rule is constructed to filter and interpret this telemetry effectively, alerting security teams to potential threats in real time. The configuration requires proper ingestion of process logs and adherence to the Splunk Common Information Model (CIM) for optimal performance.