This detection rule identifies potential adversarial behavior where attackers try to discover network connections to or from a compromised Unix/Linux or macOS system. It specifically looks for common process commands that can be used by attackers to obtain network connection details, including `netstat`, `who`, and `lsof`. The detection logic utilizes a Snowflake SQL query to extract records from the CrowdStrike EDR logs, filtering for relevant process execution events that occurred within the last two hours and match specified command patterns. By analyzing this activity, cybersecurity teams can spot attempts to enumerate network connections, which is indicative of discovery-stage techniques used by malicious actors. This aligns with MITRE ATT&CK technique T1049 for system network connections discovery, contributing to overall threat detection capabilities within an organization.