The detection rule titled 'GetNetTcpconnection with PowerShell' is focused on identifying the execution of PowerShell commands that list current TCP connections on a Windows system. Specifically, it targets the use of the command 'Get-NetTcpConnection', which can provide attackers or Red Team operators with critical insights into the state of network connections available to a system. Employing telemetry from Endpoint Detection and Response (EDR) agents, the rule leverages specific Sysmon and Windows event logs to capture instances where 'powershell.exe' is executed with this command. Given its utility in network reconnaissance, the detection of this command can help security teams identify potential reconnaissance activities that could facilitate unauthorized access or lateral movement within the network. The rule's implementation requires proper ingestion of logs comprising process details, command-line arguments, and normalization of those logs to fit within the Splunk Common Information Model (CIM).