The PowerShell Domain Enumeration analytic rule detects the execution of PowerShell commands commonly used for gathering information about a Windows domain, such as \"get-netdomaintrust\" and \"get-adgroupmember\". This detection utilizes PowerShell Script Block Logging (EventCode=4104) to capture and analyze the complete command that was executed in PowerShell. Detecting such commands is crucial as they often signify that an attacker is conducting reconnaissance to map out the domain and identify important users and groups. Recognizing this behavior can be vital for preventing follow-up attacks, privilege escalation, and unauthorized access to sensitive domain data. The rule outputs statistics including the count of detections, first and last occurrence timestamps, and metadata like the Computer name, EventCode, ScriptBlockText, and User ID involved.