This detection rule identifies the execution of known remote access software within a network environment. By utilizing network logs and correlating them with the Web data model, the rule focuses on identifying specific URLs and user agents associated with popular remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. The utility of these remote access tools is significant as they can facilitate unauthorized remote access, potentially allowing attackers to control systems, exfiltrate sensitive data, or further compromise the network. The analysis employs a structured search algorithm that aggregates data and correlates it with a predefined list of remote access software, flagging any instances accordingly. Anomalies are reported, enabling proactive measures against potential security breaches. Additional considerations include handling known false positives and maintaining exceptions for legitimate usage within the organization, as well as implementing Splunk’s Common Information Model (CIM) for streamlined detection. This rule serves a crucial role in enhancing network security by monitoring potentially malicious remote access activities.