The rule 'SharpHound Recon Account Discovery' is designed to detect suspicious remote RPC calls utilized by SharpHound to perform reconnaissance within a network environment. Specifically, it monitors for remote procedure calls that map local group memberships and connections, which is part of the operational behavior of SharpHound for lateral movement and privilege escalation. This detection rule is focused on events triggered by the RPC Firewall when it identifies RPC calls that match specific criteria, namely those targeting a predefined UUID and operation number that are characteristic of SharpHound's operation. The rule operates by filtering for entries in the Event Log carrying the RPCFW tag and looks specifically for Event ID 3, indicating that the criteria for suspicious activity have been met. False positives are acknowledged as unknown, and the detection falls under a high severity level. This makes the rule a critical part of active defense against lateral movement tactics associated with account discovery and reconnaissance phases in an adversarial scenario.