This detection rule focuses on identifying adversarial activities related to the discovery of security software and configurations on systems through Windows Management Instrumentation (WMI). Adversaries often seek information about installed security products, including firewall configurations and antivirus solutions, to assess system defenses and decide on further exploitation strategies. The rule employs `get_endpoint_data` and `get_endpoint_data_powershell` commands alongside specified EventCodes (4103 and 4104) to detect enumeration activities aimed at security software. The detection leverages WMI commands that reference 'AntiVirusProduct', providing critical insights into potentially malicious discovery operations. The log data is processed to extract relevant events for analysis, indicating potential reconnaissance efforts by threat actors to ascertain the security posture of the target environment. This rule aligns with the specific technique 'Security Software Discovery' under the broader category of software discovery. The implementation utilizes Splunk as the logic format, with regex filtering implemented for precise event identification.