This detection rule identifies potentially malicious access to the Active Directory Federation Services (AD FS) configuration database through uncommon tools by monitoring named pipe connections. Specifically, it looks for local connections to the database via the named pipe `\MICROSOFT##WID\tsql\query`, which is typically used for database interactions. AD FS stores sensitive configuration settings necessary for signing SAML tokens, making unauthorized access particularly concerning. The detection is alerted when the specified named pipe is accessed by any processes that do not match a preset list of known safe tools and services, including Microsoft utilities like `mmc.exe`, `svchost.exe`, and others associated with AD FS operations. As a strong defensive measure, ensuring that Sysmon is properly configured to log these named pipe events (Event ID 17 and Event ID 18) is essential to effective monitoring. Furthermore, the rule includes provisions for mitigating false positives by excluding common system processes.