This detection rule identifies suspicious remote sessions conducted via TeamViewer by monitoring the creation of specific log files that are generated during these sessions. The rule focuses on two main file selections: firstly, any file that ends with the specific names `tvprint.db` or `TVNetwork.log` located within the TeamViewer directory, and secondly, any log files that contain the substring `_Logfile.log` in their names within the TeamViewer directory. If either condition is met, an alert is triggered, indicating a potential misuse of TeamViewer which could relate to unauthorized remote access or command-and-control activities. The rule aims to assist organizations in detecting potential security incidents linked with remote access tools.