This detection rule is designed to identify suspicious enumeration activities in Active Directory (AD) using the command-line utility AdFind. AdFind is a tool often used by administrators for legitimate queries but can also be misused by attackers for reconnaissance purposes. The rule focuses on specific command-line flags associated with known enumeration activities. The detection captures several patterns indicating potential misuse, such as attempts to access user account lockout settings, administrative counts, and Exchange addresses. It uses a logical condition that triggers an alert if any one of the predefined command-line selections is detected, making it effective in flagging unauthorized access attempts to sensitive Active Directory information. Due to the nature of such enumeration activities, the rule has been classified at a high-security level and includes references for further understanding of the command and its legitimate uses. False positives may occur in cases of authorized administrative activities, highlighting the importance of context when interpreting alerts.