Reconnaissance activity detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where (InitiatingProcessCommandLine == 'gpresult /z' 
or InitiatingProcessCommandLine == 'gpresult /v' 
or InitiatingProcessCommandLine == 'gpresult' 
or InitiatingProcessCommandLine == 'net view' 
or InitiatingProcessCommandLine == 'net view /domain' 
or InitiatingProcessCommandLine == 'netstat' 
or InitiatingProcessCommandLine == 'netstat -nab' 
or InitiatingProcessCommandLine == 'netstat -nao' 
or InitiatingProcessCommandLine == 'nslookup 127.0.0.1' 
or InitiatingProcessCommandLine == 'ipconfig /all' 
or InitiatingProcessCommandLine == 'arp -a' 
or InitiatingProcessCommandLine == 'net share' 
or InitiatingProcessCommandLine == 'net use' 
or InitiatingProcessCommandLine == 'systeminfo' 
or InitiatingProcessCommandLine == 'net user' 
or InitiatingProcessCommandLine == 'net user administrator' 
or InitiatingProcessCommandLine == 'net user /domain' 
or InitiatingProcessCommandLine == 'net group' 
or InitiatingProcessCommandLine == 'net group /domain' 
or InitiatingProcessCommandLine == 'net localgroup' 
or InitiatingProcessCommandLine == 'net localgroup' 
or InitiatingProcessCommandLine == 'net localgroup Administrators' 
or InitiatingProcessCommandLine == 'net group \"Domain Computers\" /domain' 
or InitiatingProcessCommandLine == 'net group \"Domain Admins\" /domain' 
or InitiatingProcessCommandLine == 'net group \"Domain Controllers\" /domain' 
or InitiatingProcessCommandLine == @'dir \\"%programfiles%\\"' 
or InitiatingProcessCommandLine == 'net group \"Exchange Servers\" /domain' 
or InitiatingProcessCommandLine == 'net accounts' 
or InitiatingProcessCommandLine == 'net accounts /domain' 
or InitiatingProcessCommandLine == 'net view 127.0.0.1 /all' 
or InitiatingProcessCommandLine == 'net session' 
or InitiatingProcessCommandLine == 'route print' 
or InitiatingProcessCommandLine == 'ipconfig /displaydns') 
|project Timestamp,DeviceName,InitiatingProcessCommandLine,InitiatingProcessAccountName