This rule focuses on the detection of the creation or removal of computer accounts in a Windows environment, specifically leveraging Event IDs 4741 (A computer account was created) and 4743 (A computer account was deleted). It serves to monitor activities such as the addition of new Service Principal Names (SPNs), which may indicate malicious behavior like DCShadow attacks—a tactic where an attacker manipulates Active Directory to create or modify directory objects, often seen as an evasion technique against traditional defenses. The rule is set for a low severity level, indicating that while the detection is important, it may require further context to assess if it represents a genuine threat or a benign action. It is essential to be aware of potential false positives, particularly from unknown sources, and to correlate these events with other indicators to enhance detection accuracy and minimize alert fatigue.