This detection rule targets potential unauthorized access attempts to Windows systems utilizing SMB (Server Message Block) and RDP (Remote Desktop Protocol) ports, which could indicate exposures that threat actors may exploit. The rule focuses specifically on successful logon events (Event ID 4624) from external IP addresses. The detection logic utilizes Splunk to parse logs, filters logon type 3, and excludes certain trusted internal IP ranges (like private network spaces). By using the `iplocation` function, it enhances the visibility of the source IP address geographical origin, allowing for better context in identifying malicious logons. The eventual output is captured in a structured table of relevant details such as time of logon, user account, associated processes, and geographical location.