This rule detects potential account takeover by identifying users who normally log in many times from a single source IP but then have successful logons from a second, low-volume source IP. It targets Windows logon events (4624) from Windows Security Event Logs via network/remote interactive logon types, requiring a non-local IP. The rule aggregates logon events by user and source IP and computes max_logon, min_logon, and the distinct source IP count. A match is produced when a user has a very high logon count from one IP (max_logon >= 1000) with a small second pattern (min_logon between 1 and 5) and exactly two distinct source IPs (count_distinct == 2). The output includes the user name, the suspicious source IP, and the associated metrics for investigation. The rule is mapped to MITRE ATT&CK technique T1078 (Valid Accounts) under Privilege Escalation, reflecting credential misuse to access an account from a new location. It uses a risk score of 47 and is rated medium severity. False positives may occur with legitimate second-device use (e.g., new laptop or travel VPN) or service/shared accounts; adjust thresholds or exclude known ranges as needed. Recommended triage steps include user validation, IP reputation checks, cross-referencing with related alerts, and consideration of MFA enforcement or session revocation if takeover is suspected.