This detection rule is designed to identify the execution of the "csvde.exe" command-line utility on Windows systems, which is often used for exporting data from Active Directory. The rule captures process creation events specifically targeting the execution of the csvde utility to possibly exfiltrate sensitive information regarding the organizational structure from Active Directory. The rule targets the usage patterns indicative of intentional data export by leveraging certain command-line options. Notably, it looks for instances when the command is executed with a file output option ("-f") while excluding imports (indicated by the "-i" parameter). The rule filters on the image name to include only those accurately reflecting the utility (i.e., ending in "csvde.exe").