This detection rule identifies target discovery activities executed by threat actors, specifically observing the use of PowerShell to query various event logs associated with system and security data. Such logs (System, Security, and Windows Terminal Services) may be exploited by adversaries like APT28 to gather information on a network's targets, which is a common precursor to further malicious operations such as lateral movement or data exfiltration. The implementation involves analyzing PowerShell event logs for specific Event IDs (4103 and 4104), which relate to remote command execution and log reading activities. The query logic checks for commands that retrieve event log data, inferring discovery intentions based on the frequency and type of the logged events. This rule aids in preemptively detecting and responding to reconnaissance efforts that could lead to larger-scale network intrusions. The association with RagnarLocker emphasizes the relevance of keeping PowerShell monitoring up to date, as it has been linked to noted threats in the cybersecurity landscape. By identifying these patterns, organizations can enhance their threat intelligence and mitigate risks associated with targeted attacks.