The 'Rare User Logon' detection rule leverages a machine learning job to identify unusual user names in authentication logs, which may indicate credentialed access through new or seldom-used user accounts. Such accounts may have become active through compromised credentials, raising a security concern. This rule provides insights into potential account misuse, particularly in cases of inactive user accounts being activated without proper authorization. By maintaining a threshold for anomaly detection, the system aims to filter out normal user behaviors while highlighting suspicious activities that could lead to major security incidents. It is crucial for organizations to monitor these instances closely, as they align with tactics associated with unauthorized access and persistence in web applications. The rule integrates with Elastic’s security platform and requires configurations related to integrations such as Elastic Defend, Auditd Manager, and System integration to effectively collect and analyze the necessary log data.