This detection rule focuses on identifying abnormal access patterns to Active Directory (AD) objects through Windows Security Event Code 4662. It analyzes Windows event logs to detect statistically significant increases in access attempts, which could indicate reconnaissance activity by an attacker. By establishing a baseline of historical access behavior through average and standard deviation calculations, the rule helps security teams spot unusual access behavior that may lead to privilege escalation or unauthorized system modifications. Implementing the rule requires proper event logging configuration (Audit Directory Service Access) and careful handling of known service accounts to minimize false positives.