This threat detection rule identifies potential ping sweep activities, which are reconnaissance techniques employed by adversaries to map out networked systems. The primary objective of such sweeps is to ascertain the presence of other devices, using tools like 'ping.exe', which can send ICMP echo requests to multiple IP addresses in a range. The logic is designed for Splunk and focuses on Windows event logs (EventID 4688) that are generated when a new process is created, specifically scanning for instances of 'ping.exe'. The rule specifies a frequency filter, as it seeks to identify hosts that generate over 30 process instances of ping in a 60-second interval. A high volume of ping processes can indicate an attempt to discover hosts for lateral movement, providing crucial insight into potential reconnaissance efforts by threat actors like UNC2596, known for using such tactics in their operations, including the employment of malware variants from groups such as Cuba and Hive. Overall, the rule facilitates in-depth examination and response to potential internal threats within networked environments, particularly related to remote system discovery.