This detection rule aims to identify potential Active Directory (AD) user enumeration attempts conducted by non-machine accounts. Specifically, the rule checks for read access (Event ID 4662) to user objects in Active Directory, focusing on attributes that are typically read by attackers. It targets events where the SubjectUserName does not end with a '$' sign (indicating that it is not a machine account) and does not start with 'MSOL_' (indicating it is not a Microsoft Online account). The rule specifies the ObjectType of the user being accessed, ensuring that the access type is scrutinized to detect unauthorized enumeration attempts. The presence of certain access masks indicates that the requester might be attempting to gather information about user accounts, such as their properties or permissions, which can be leveraged for further attacks. The rule includes monitoring for false positives such as legitimate administrator activities while enhancing the likelihood of detecting malicious intent.