This detection rule utilizes machine learning (ML) to identify unusual Windows usernames exhibiting rare login activity, which may suggest potential security threats such as unauthorized access or compromised accounts. It analyzes login events to detect anomalies based on historical user behavior. When a username that is not typically active logs in, it triggers an alert. This approach is particularly relevant for environments where new user accounts are seldom created. Potential false positives include legitimate administrative actions, such as system configuration or troubleshooting by IT staff. The rule is crucial for detecting lateral movement and pinpointing suspicious activity associated with compromised credentials, as unusual usernames could indicate attempts to pivot between hosts. Users are advised to investigate logs for unusual activities linked to these usernames to mitigate risks effectively.