The SharpHound rule employs Splunk queries to detect various aspects of Active Directory (AD) enumeration conducted by malicious actors. The rule is crafted to extract endpoint data and command-line parameters indicative of attempts to gather AD information, including account discovery, domain trust relationships, and password policies. Through the application of filters and regex matching, it specifically identifies processes related to SharpHound's data collection methods that may be associated with known threat actors like APT29, BlackMatter, and others. Moreover, the rule focuses on key techniques outlined in the ATT&CK framework, such as account discovery and system information retrieval, thereby facilitating a comprehensive understanding of potential adversarial tactics used in compromising the integrity of AD environments.