This detection rule identifies instances where the `net.exe` utility is used to disable a user account via the command line on a Windows endpoint. It utilizes data collected from Endpoint Detection and Response (EDR) agents, specifically focusing on process execution logs (Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2). The detection is crucial as disabling user accounts can be indicative of an attacker's efforts to disrupt the availability of legitimate users, potentially paving the way for further malicious actions. If such activities are confirmed as malicious, they can signify denial of service for users and enable the attacker to maintain control over the system or hide their tracks. The detection logic analyzes process names and command-line arguments with a specific focus on processes related to executed commands.