This detection rule targets the addition of Service Principal Names (SPNs), particularly 'HOST' and 'RestrictedKrbHost', to Windows computer accounts, a behavior known to be linked to Kerberos-based attacks. It utilizes Windows Event Log Security, specifically looking for EventCode 4741, which logs modifications to computer account properties. The analytic identifies potential Kerberos relay attacks that could allow attackers to impersonate services and escalate privileges within a network. By monitoring for these events, organizations can proactively detect and respond to changes that may indicate an attempt to traverse network security. The rule is designed to capture logs from valid security events and process this data in a structured manner to assess potential threats. Implementing this rule requires Windows Security Event Logs configuration with specific focus on EventCode 4741, ensuring that relevant activity is captured for analysis.