The Kerberos User Enumeration detection rule identifies unusual levels of Ticket Granting Ticket (TGT) requests targeting non-existing users from a particular source. This rule utilizes Windows Event ID 4768, employing a 3-sigma statistical method to detect anomalies. The significance of this rule lies in its ability to uncover potential user enumeration attacks against Active Directory, enabling adversaries to validate usernames, thus paving the way for brute force or credential stuffing attacks. The analytical search begins by filtering for EventCode 4768 where the Status indicates a valid request (Status=0x6), and excludes service accounts. By bucketing these events into two-minute intervals and calculating the distinct count of usernames requested by source IP, the rule establishes a baseline average and standard deviation to define outlier behavior. If a source exceeds a defined threshold of username requests, it's flagged for further investigation, which may indicate an attack in progress.