MacOS Network Share Discovery is an anomaly-based detection that flags Mac endpoints performing network-share enumeration to identify accessible SMB and NFS resources. The rule looks for execution of network-share discovery commands (smbutil, showmount) by processes on macOS endpoints, using the Splunk osquery data model (Endpoint.Processes) via tstats to collect contextual fields such as destination host, command name, parent process, user, and process identifiers. It relies on the macos_network_share_discovery_filter to reduce noise and focuses on commands that enumerate network shares, which adversaries commonly leverage during internal reconnaissance and potential lateral movement. The detection requires osquery data (TA-OSquery) deployed across indexers and forwarders to populate the data model. The rule normalizes events within a defined time window (firstTime/lastTime) and provides drilldowns to view per-user/destination results and to correlate with broader risk events. It maps to MITRE ATT&CK technique T1135 (Network Share Discovery). The risk and response guidance identify two risk objects (user and destination) and one threat object (the process). Known false positives include legitimate administrative troubleshooting of network shares. References cite macOS process auditing, showmount, and smbutil documentation. The True Positive test uses an osquery dataset simulating smbutil/showmount activity. In practice, investigations should correlate with authentication events, SMB/NFS access, unusual time windows, or unexpected users on a Mac host, and may warrant containment or further forensics if used outside of a legitimate admin context. The drilldowns support rapid investigation and risk assessment for post-compromise threat hunts.