This detection rule aims to identify DNS server discovery attempts performed through LDAP query requests, particularly from less common applications. It focuses on queries directed towards names that begin with '_ldap.', which indicates the use of LDAP for discovering DNS servers. The rule incorporates various filters to distinguish between standard applications and potential threats. Specifically, it checks the image path to ensure the initiating process is not from common directories like 'Program Files', 'Windows', and specific known processes associated with Windows Defender and Azure Guest Agent. Additionally, it disregards queries initiated by common web browsers such as Chrome, Firefox, and Opera, leveraging a comprehensive condition that combines these selections and filters to reduce false positives. By exclusively looking for LDAP-based queries that are not made by typical or benign applications, this rule aims to pinpoint possibly malicious reconnaissance activities on a Windows system. The low severity level suggests that detected activities should be investigated but may not immediately signify an active threat.