This detection rule identifies successful login attempts from public IP addresses, which can indicate unauthorized access attempts or malicious activities by threat actors. The rule utilizes Windows Event Log data, specifically monitoring Event Code 4624, which indicates successful logon events. The logic uses the function `get_endpoint_data` along with `get_endpoint_data_winevent` to retrieve relevant event logs and apply an IP geolocation lookup to identify the source of the login. If the source IP is recognized as coming from a public internet address, and the login type is Remote Interactive (denoted by Logon_Type=10), the system captures user details and the corresponding geographical information. The statistical aggregation further enhances visibility into the specific accounts that are accessed and identifies the originating countries of these login attempts, enabling SOC analysts to prioritize investigations on anomalous access behavior. This method of detection is crucial to thwarting lateral movement and potential breaches, especially given the techniques linked to known adversaries like LUCR-3 and the Volt Typhoon group, among others.