The rule identifies unauthorized Active Directory (AD) replication traffic from sources that are not domain controllers, which could indicate malicious activities such as DCSync and DCShadow. AD replication should normally occur exclusively between domain controllers; thus, any replication-like traffic originating from non-controller sources is suspicious and warrants investigation. This analytic uses the Network Traffic data model in a SIEM solution to pinpoint unusual application traffic pertinent to AD replication protocols e.g., 'ms-dc-replication', '*drsr*', and 'ad drs'. It aggregates key traffic attributes (like user, source and destination categories) and timestamps, helping analysts recognize potential credential dumping attempts that can lead to significant security breaches. Implementing effective logging from application-aware firewalls or proxies is necessary for accurate detection.