This detection rule identifies the execution of the PowerShell cmdlet `get-localgroup` by analyzing Script Block Logging events (EventCode=4104). The cmdlet is used for enumerating local user groups on Windows machines, a typical action for both administrators and attackers seeking to gain insights into system permissions and user roles, potentially aiding in privilege escalation or lateral movement. This rule leverages the capabilities of PowerShell Script Block Logging to capture detailed command execution data, allowing for real-time monitoring of potentially suspicious activities related to local group enumeration. By tracking these events, security teams can proactively identify and investigate unauthorized access attempts. Appropriate tuning of this analytic can help reduce false positives while still maintaining visibility into critical security-relevant actions. Also, it is essential to review all parallel processes and the full script block in conjunction to fully understand the context of the detected behavior.