The rule titled "Nslookup Execution" is designed to detect the utilization of the nslookup command on Windows systems. Nslookup is a legitimate network administration tool commonly used for querying the Domain Name System (DNS) to obtain various types of DNS information including domain names and IP addresses. However, adversaries may exploit this tool for reconnaissance and other nefarious purposes in their cyber operations. This specific rule targets instances where the nslookup executable is invoked within a two-hour window on Windows platforms. The detection logic is implemented in Snowflake SQL syntax, querying the CrowdStrike Falcon Data Replicator (FDR) process logs. By specifically filtering events for activity related to 'nslookup.exe', the rule aims to identify potential misuse of this command line tool which may indicate suspicious behavior, particularly in relation to discovery and evasion tactics employed by threat actors like FIN7. The relevance of this detection is underscored by its association with established attack techniques, namely the execution of system binaries for defense evasion (T1218) and network configuration discovery (T1016). The rule is associated with EDR logs and is a proactive measure to monitor for potential exploitation or misuse of legitimate tools in a controlled environment. The implementation of this rule can enhance an organization's security posture against adversaries leveraging built-in operating system utilities.