This detection rule monitors for an unusual number of computer service ticket requests originating from a single source by analyzing Windows Event Log entries specifically for Event ID 4769, which indicates that a Kerberos service ticket has been requested. The rule employs statistical analysis techniques, particularly the 3-sigma rule, to establish a baseline of normal ticket request behavior. This detection method checks for anomalies where the number of unique service ticket requests exceeds a calculated upper bound, which may indicate potentially malicious activities such as lateral movement, reconnaissance, or malware operations. Such behavior is concerning as it may enable an attacker to gain unauthorized access across multiple systems, leading to data exfiltration and broader system compromise. Implementation requires the proper auditing of Kerberos authentication events on Domain Controllers to ensure all relevant data is captured. Additional considerations include the potential for false positives generated from legitimate administrative actions and vulnerability scanning activities, necessitating careful investigation of detected incidents.