The detection rule identifies anomalous requests for Kerberos service tickets, which may suggest a potential kerberoasting attack. Kerberos Event 4769 is leveraged for this rule, tracking the number of ticket requests per host. The analysis employs the 3-sigma statistical method to determine outliers in the frequency of these requests. Given that kerberoasting attacks aim to exploit the Kerberos protocol to gain unauthorized access to sensitive accounts by obtaining service tickets, detecting such anomalies is vital for safeguarding Active Directory environments. A deviation from the average request rate, particularly by a user, raises concerns over possibly escalating privileges and breaching security protocols. To implement this detection effectively, adequate logging and domain controller events must be ingested, and the corresponding audit policies must be configured accordingly.