This detection rule focuses on identifying potential reconnaissance activities on Cisco ASA devices by monitoring for the execution of multiple 'show' commands that provide adversaries with vital information about network devices and their configurations. When an adversary gains access to such infrastructure, they often perform systematic reconnaissance to gather data on device configurations, network topologies, and active connections. This rule uses a specific logging message (ID 111009) to detect when a user executes seven or more unique reconnaissance-oriented 'show' commands within a 5-minute window. Such commands include 'show running-config', 'show version', and others, which are crucial for understanding the device state and uncovering potential attack paths. The rule emphasizes that atypical patterns, like bursts of show commands from non-administrative accounts or during unusual hours, should be investigated closely, and it suggests filtering out legitimate administrative actions to reduce false positives.