The "Windows Wmic Network Discovery" detection rule monitors the execution of Windows Management Instrumentation Command-line (WMIC) commands specifically targeting network discovery on Windows systems. It particularly identifies commands like `wmic nic` which are executed to fetch details about the installed network adapters. While legitimate system administrators use these commands for network inventory and diagnostics, they can also be utilized by malicious actors for reconnaissance purposes, allowing them to map out network configurations and identify potential targets for attacks. The rule utilizes data from Sysmon and Windows Event Log, triggered by logging the process executions that contain "nic" in the command, and correlates this with user and destination information to detect unauthorized enumeration activities. Implementation requires ingesting endpoint telemetry and utilizing Splunk's Common Information Model for normalization. Known false positives may arise when administrators run these commands for benign purposes.