The detection rule 'Get DomainPolicy with Powershell' focuses on identifying malicious reconnaissance activities arising from the use of the `Get-DomainPolicy` cmdlet executed via `powershell.exe`. This cmdlet is typically employed by attackers to extract sensitive password policy information from Windows domains, which can facilitate unauthorized access and attacks within the network. The rule leverages telemetry data from various endpoint monitoring sources, such as Sysmon and Windows Event Logs, concentrating on the execution of processes associated with command-line actions that include specific patterns related to 'Get-DomainPolicy'. The implementation requires proper data ingestion from EDR agents and alignment with the Splunk Common Information Model (CIM) for effective detection and alerting.