This detection rule is aimed at identifying common reconnaissance cmdlets utilized by attackers, particularly linked to the APT29/Nobelium/Cozy Bear threat actor group. Upon gaining access to a machine within a network, attackers often execute specialized PowerShell commands to gather sensitive information or to facilitate the deployment of malware. The rule captures a set of Exchange cmdlet commands that may indicate an ongoing reconnaissance operation. These commands, which include Get-AcceptedDomain, Get-CASMailbox, Get-Mailbox, Get-ManagementRoleAssignment, Get-OrganizationConfig, Get-MailboxExportRequest, Get-OwaVirtualDirectory, and Get-WebServicesVirtualDirectory, are essential for accessing and managing Exchange services. By monitoring these cmdlets within the context of Office 365 audit logs, the detection rule sets out to flag instances where multiple commands are accessed by the same user within a brief timeframe, which signifies unusual behavior potentially leading to an attack. The Splunk logic provided leverages data gathered through cloud-specific data sources, thereby indicating the relevance and efficacy of the detection in the Office 365 environment.