This rule aims to detect potentially malicious activity where threat actors query Windows Terminal Services logs for Remote Desktop Protocol (RDP) session details. Specifically, it looks for commands that access event logs related to user disconnections and successful logon attempts for RDP sessions, denoted by Event Code 25 and Event ID 1149, respectively. The logic incorporates searches for PowerShell commands that could invoke the querying of these logs, such as 'qe' or 'Query-Event'. Notable threat actors, like Cluster Charlie and Lazarus, have been identified using similar techniques during reconnaissance activities. The logic is designed to be resilient against opponents renaming standard command tools like 'wevtutil', thus broadening its detection capabilities. By monitoring the relevant event IDs within the Windows Event Logging infrastructure, this rule enhances the ability to uncover suspicious log querying activities that could indicate a compromised system under reconnaissance.