This detection rule identifies suspicious network traffic directed toward the Active Directory Web Services Protocol (ADWS) on port 9389, which is essential for managing Active Directory. Unauthorized access attempts to ADWS could indicate malicious intent, allowing attackers to manipulate Active Directory, escalate privileges, or gain unauthorized access. Utilizing Sysmon EventID 3 for network traffic logging, the analytic leverages various data points, including source and destination IP addresses, application names, and destination ports. The search query is designed to count instances within the Network_Traffic data model, focusing on anomalies related to ADWS, which may be indicative of potential threats. Log management should include proper normalization via the Splunk Common Information Model to ensure efficient data processing.