This detection rule identifies potential reconnaissance and enumeration activities targeting Active Directory by monitoring LDAP queries. The focus is primarily on capturing events where specific search filters are employed, which are often utilized in enumeration practices by attackers. The rule specifically looks for LDAP queries that aim to retrieve data concerning group memberships, user account types, and distinguished names of critical security groups such as Domain Admins and Enterprise Admins. Additionally, it flags any unusual account attributes that might indicate elevated permissions or potential misuse, such as service accounts or accounts that have not been set to expire. By evaluating these event logs, security professionals can detect early signs of unauthorized access attempts or internal threat activities that leverage Active Directory for reconnaissance purposes.