This analytic rule detects the execution of 'nslookup.exe' with LDAP queries, which can indicate potential malicious activity, particularly by malware such as Qakbot seeking to gather domain information. The detection is based on data collected from Endpoint Detection and Response (EDR) agents, which monitor process names and command-line arguments. The executed command often points to an intention to map network resources, identify key servers, and subsequently launch attacks that may result in data exfiltration or lateral movement within the network. The rule leverages multiple data sources including Sysmon and Windows Event Logs, and it highlights the need for comprehensive logging and monitoring to catch such potentially harmful behavior.