This detection rule aims to identify the creation of suspicious local accounts that exhibit characteristics similar to the ANONYMOUS LOGON account commonly seen in Windows security logs. Specifically, it targets accounts with usernames that include variations of 'ANONYMOUS' and 'LOGON', possibly with additional spaces or characters that mimic this standard logon type. The rule uses the Windows Event ID 4720, which reports on the creation of new user accounts in the Windows security log, applying specific filters to catch these unusual account names. This rule is especially significant as it provides coverage for detection scenarios where malicious actors may attempt to mask their intentions by creating accounts that blend in with legitimate system processes. By continually monitoring for such account creations, organizations can fortify their endpoint security and mitigate potential persistence tactics used by adversaries.