This detection rule identifies unusual network connections to the standard Kerberos port (88) that originate from processes other than the expected `lsass.exe` on Windows systems. Kerberos is a key component in Windows Active Directory environments, facilitating secure authentication for services and applications. The rule is designed to be sensitive to potentially malicious activity, as processes not traditionally associated with Kerberos may indicate credential theft or misuse attempts, particularly through the technique known as "Kerberoasting." The EQL query targets egress traffic from Windows machines, checking for connections where the source port is dynamic (49152 and above) and ensuring that the executing process is not a trusted system process. This rule helps to detect lateral movement or ticket theft if a legitimate account is compromised.