The rule identifies potential misuse of the Active Directory Web Service (ADWS) by monitoring processes that load specific Active Directory-related modules followed by network connections to the ADWS port (TCP port 9389). Using a sequence-based query, it checks for any processes, excluding known administrative actions, that interact with ADWS. If a process loads one of the target DLLs (System.DirectoryServices*.dll or System.IdentityModel*.dll) and subsequently establishes a network connection to the ADWS endpoint, it triggers an alert. This detection rule is crucial as adversaries may leverage ADWS for reconnaissance, gaining unauthorized insights into user accounts and resources within an Active Directory environment. Potential false positives from legitimate administrative tools or service accounts must be processed, highlighting the need for ongoing review and fine-tuning of detection parameters.