Detects when the ScreenConnect (ConnectWise Control) client connects to a host server that is newly observed and not the official ScreenConnect cloud. The rule parses the server host from the client command line, groups observations by that host, requires first-time observation within the rule window (now minus 5 days) and constrains results to a single host to reduce noise. It emits an alert when a non-default server is observed within the last 6 minutes and only one host is involved, returning the host identifiers, the host name, and the related ScreenConnect command line for triage. The detection is mapped to MITRE ATT&CK T1219 (Remote Access Tools) with subtechnique T1219.002 (Remote Desktop Software) under the TA0011 (Command and Control) tactic, highlighting potential misuse as C2 or persistence and surfacing self-hosted or non-standard relay servers that may indicate abuse or compromise.