The detection rule is designed to monitor the execution of the PowerShell command `Get-AdGroup`, which queries domain groups within a Windows Active Directory environment. This command can be utilized by both legitimate administrators and malicious actors seeking to gather information for network reconnaissance or post-exploitation activity. The detection employs process monitoring data from Endpoint Detection and Response (EDR) agents, particularly leveraging Sysmon EventID 1 and Windows Event Log Security 4688, to identify instances where `powershell.exe` is invoked with the `Get-AdGroup` command. Such activity, if indicative of malicious intent, can lead to privilege escalation and lateral movement across the network. The search query aggregates data based on process names, command-line arguments, and various metadata fields filtered for domain enumeration activities. This monitoring is critical for timely detection of potential threats to the network's security posture and Active Directory integrity.