The rule detects potential Kerberos relay attacks that may indicate an adversary has captured and relayed a computer account's authentication credentials to execute actions on behalf of a target system. It does this by identifying coercion attempts where a machine account is used from an unauthorized source IP address to authenticate. This EQL (Event Query Language) rule analyzes sequence events that correlate access attempts to machine accounts and their corresponding logon attempts, filtering out legitimate usage patterns to reduce false positives. The rule includes comprehensive triage and investigation steps, encourages the review of relevant activities connected to the target server, and suggests various countermeasures. It provides strategies for managing false positives associated with legitimate administrative activities, ensuring effective detection without overwhelming alerts.