This detection rule identifies the execution of the command-line tool `dsquery.exe`, which is utilized for discovering domain users in a Windows environment. By leveraging data from the Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, the rule monitors the process names and command-line arguments associated with `dsquery.exe`. This behavior often signifies reconnaissance by potential attackers aiming to gather information about user accounts within the domain, which can lead to privilege escalation and lateral movement within the network. The detection logic consolidates the relevant data from the Endpoint Detection and Response (EDR) agents, ensuring that all system and process telemetry is accurately analyzed for any suspicious or unauthorized use of this command.