This detection rule monitors for the rapid addition and deletion of a Service Principal Name (SPN) associated with a Windows domain account, specifically within a 5-minute timeframe. Using Windows Security Event Log EventCode 5136, the rule captures changes to the servicePrincipalName attribute. This behavior is indicative of potential Kerberoasting attempts, where attackers seek to obtain the cleartext password of a domain account by manipulating SPNs. If confirmed, such activity poses a significant risk as it may facilitate unauthorized access to sensitive domain resources or privilege escalation. The detection mechanism employs a transaction function to track the lifecycle of the SPN modifications, ensuring that instances of rapid change are flagged for further analysis.