The rule titled "SecretsDump Credential Harvest" is designed to detect credential harvesting activities performed by the SecretsDump.py tool, which gathers NTLM hashes from targeted systems without the need for installing agents on those systems. This tool is often associated with adversaries such as APT15 and Scattered Spider (aka 0ktapus, UNC3944), as well as the Volt Typhoon group. The detection is achieved by analyzing specific event logs related to authentication and access attempts, particularly monitoring Event Codes 4624 (Logon), 4661 (Object Access), and 5145 (Network Share Access). The logic combines events to identify unique login sources and their relationship to possible credential dumping actions, flagging when network shares related to SAM (Security Accounts Manager) are accessed. Such detection allows for the identification of suspicious behavior indicative of credential harvest attacks from remote targets.