Samirbous/EQL - AD Mass Properties Enum

## EQL - AD Mass Properties Enum
any where event.action == "Directory Service Access" and
 event.code == "4662" and
 not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 winlog.event_data.AccessListDescription : "Read Property" and
 length(winlog.event_data.Properties) >= 800
	any where event.action == "Directory Service Access" and
	event.code == "4662" and
	not winlog.event_data.SubjectUserSid : "S-1-5-18" and
	winlog.event_data.AccessListDescription : "Read Property" and
	length(winlog.event_data.Properties) >= 800