This detection rule is designed to identify suspicious logon attempts via Remote Desktop Protocol (RDP) that are made to hosts not recognized as part of the established domain. It specifically monitors for events that utilize NTLM authentication, focusing on Event ID 8001, which indicates a remote session is being initiated. The rule captures events where the target server name starts with 'TERMSRV', signifying a request for an RDP connection. The presence of logons to non-domain hosts could indicate potential command-and-control activity or unauthorized access attempts by malicious actors. The rule aims to enhance security monitoring by flagging these instances for further investigation, thereby mitigating risks related to unauthorized access and lateral movement within network environments.