The detection rule for "Advanced IP Scanner Execution" focuses on identifying instances where the Advanced IP Scanner utility is executed on endpoints, which is particularly relevant as this tool has been adopted by several threat actors for reconnaissance activities. This includes notable groups such as UNC2465, Conti, Pysa, and FIN12. The detection logic is implemented in Splunk, using a combination of Sysmon event codes and process matching techniques to capture relevant execution events. Key attributes such as the process name and command-line parameters are analyzed to effectively flag usage of this utility. Given its legitimate use in network scanning, the rule must be sensitive enough to differentiate between benign and malicious execution contexts, enhancing threat detection capabilities against potential misuse by attackers. The detection ties into the discovery tactic of network service discovery (MITRE technique T1046), and the rule provides important visibility into a potential initial reconnaissance phase of an attack.