This detection rule aims to identify unauthorized remote logon attempts to Windows systems from external IP addresses. It utilizes Windows Event Code 4624, which indicates a successful logon event. The rule filters log entries where the logon type is ten, representing remote desktop protocol (RDP) logons, while excluding local and private ranges of IP addresses to focus on potentially malicious external actors. The logic extracts relevant details, including the timestamp, host, user, source IP, and the country associated with the source IP. It incorporates geolocation analysis to enrich the data with insights about the origin of the source IP, allowing security teams to respond appropriately to potentially suspicious login activity originating from outside the organization’s network range. Additionally, the rule is connected to known threat actor groups and associates certain malware families with these kinds of attacks, providing context for the detection and enhancing its significance within a security operations framework.