The 'Remote System Discovery with Dsquery' analytic rule identifies potential reconnaissance activities by monitoring the execution of the 'dsquery.exe' command with the 'computer' argument, specifically within Active Directory environments. This behavior is indicative of attackers or authorized alterative assessments mapping domain resources, possibly leading to lateral movement within a network. Utilizing data from EDR solutions such as Sysmon and Windows Event Logs, the detection leverages critical telemetry including process names and command-line arguments executed on endpoints. The effectiveness of this rule hinges on accurate ingestion and processing of detailed logs, focusing especially on command-line executions to increase the likelihood of detecting nefarious activities. Adequate context from normalized fields via the Splunk Common Information Model enhances query performance and incident response capabilities.