This detection rule focuses on identifying potentially malicious behavior associated with the Telegram application on Windows systems. Specifically, it captures instances where Telegram enumerates local user groups using EventCode 4798, which indicates that a process queried a user's security-enabled local groups. This behavior can signify an attempt to collect user account information, often used as a precursor to further attacks such as privilege escalation or lateral movement through the network. To implement this rule effectively, organizations should ensure they are collecting Security Event Logs that include EventCode 4798. The rule not only detects this enumeration activity but also highlights relevant timestamps and context about the user and machine involved. Additional drill-down searches allow users to explore related risk events and detection results associated with specific users and machines, providing further insights into potential risks related to the use of Telegram in their environment.