The OpenCanary rule for detecting MSSQL login attempts via Windows Authentication is designed to monitor and alert on any login activities that leverage Windows credentials to access an MSSQL service hosted on an OpenCanary node. This rule utilizes log type 9002, which corresponds to SQL Server error logs that provide insights into authentication attempts, including successful and failed logins. By capturing these events, the rule aims to identify potentially unauthorized access attempts that exploit Windows Authentication, which could indicate a breach or an attack targeting credentials. Given its classification as high severity, it is essential in protecting against credential access and collection tactics outlined in the MITRE ATT&CK framework, specifically techniques T1003 (Credential Dumping) and T1213 (Credential Access with Password Managers). Users should refer to the OpenCanary documentation and the provided references for further technical details on configuring the service and understanding its logging capabilities.