This detection rule identifies the creation of files typically associated with SharpHound, a tool used for reconnaissance in Active Directory environments, particularly for gathering domain and trust data. It ingests data from the Endpoint.Filesystem data model, specifically monitoring file modification events for known file naming conventions indicating potential malicious activity, such as '*_BloodHound.zip' and several JSON files commonly used by SharpHound. Detection of these files can suggest an attacker is conducting domain enumeration, a step that can facilitate lateral movement and privilege escalation within an organization. This rule leverages Sysmon EventID 11 to capture relevant file creation events and provides a mechanism to identify and respond to potential threats before they result in significant damage.