This detection rule identifies instances where the command line tool 'csvde.exe' is utilized to export data from Active Directory, particularly in scenarios associated with advanced persistent threats (APTs) such as those linked with the Volt Typhoon threat actor. The rule specifically looks for event ID 4688 in Windows event logs, which indicates a process creation event. The detection logic filters for instances where 'csvde.exe' is executed with the '-f' parameter, which specifies the output file for the exported data. The rule utilizes both `get_endpoint_data` and `get_endpoint_data_winevent` to gather relevant event information, such as the user executing the command, host details, and process metadata. By analyzing these events, organizations can detect unauthorized attempts to extract sensitive Active Directory information, providing crucial insights into potential misuse and malicious activities.