This analytic rule is designed to detect and monitor PowerShell Web Access (PSWA) usage in Windows environments by tracking relevant Windows Security Event Logs, specifically Event ID 4648 for logon attempts using explicit credentials and Event ID 4624 for successful logons. By analyzing these events, the rule provides valuable insights into access patterns including connection attempts, successful and unsuccessful logons, unique target accounts and domains, alongside details about the host servers and processes involved. It aims to help security analysts identify potential misuse scenarios such as lateral movement or brute force logon attempts within an organization. This proactive monitoring is crucial, especially considering the administrative capabilities of PowerShell, which can be exploited if misused or left unchecked. The rule can assist teams in quickly assessing incidents tied to PSWA usage and effectively responding to possible security threats.